“The publication of this information was a mistake by the FCA.”
That was the assertion made by the Financial Conduct Authority (FCA) when the regulator owned up to a data breach that it will ensure cannot happen again by taking immediate action.
“The FCA was recently made aware that, in a response to a Freedom of Information Act request published on our website in November 2019, certain underlying confidential information may have been accessible,” noted the watchdog.
“The response related to the number and nature of new complaints made against the FCA and handled by the complaints team between January 02, 2018 and July 17, 2019.”
According to the FCA, it removed the relevant data on its website as soon as it found out about the error and has also undertaken a full review to identify the extent of any information that may have been accessible. The matter has been referred to the Information Commissioner’s Office (ICO).
“Our primary concern is to ensure the protection and safeguarding of individuals who may be identifiable from the data,” stated the FCA. “In many instances, the extent of the accessible information was only the name of the person making the complaint, with no further confidential details or specific details of their complaint.
“However, there are instances where additional confidential information was contained within the description of the complaint, for example an address, telephone number, or other information. Where this is the case, we are making direct contact with the individuals concerned to apologise and to advise them of the extent of the data disclosed and what the next steps might be.”
Meanwhile the watchdog offered assurances that the incident did not involve financial, payment card, passport, or other identity information.
There’s no word yet from the ICO on the breach. On December 20, 2019, the authority issued a final monetary penalty notice of £275,000 against pharmacy Doorstep Dispensaree for storing 500,000 medical documents containing sensitive medical data in unlocked containers. According to the February 2020 Beazley Breach Insights report, this is the ICO’s first fine under the General Data Protection Regulation.
Last year, £183 million and £99 million in fines were proposed by the ICO against British Airways and Marriott Hotels, respectively. These massive penalties have yet to be finalised.