FCA admits data breach

In a statement published today (February 25) the regulator said it had referred itself to the Information Commissioner’s Office over the incident, which occurred in November 2019. 

In response to a Freedom of Information request the FCA mistakenly published on its website the details of individuals who had made a complaint to the regulator between January 2018 and July 2019.  

In some instances these confidential details included names, addresses, telephone numbers and also the nature of the complaint. 

The FCA said: "As soon as we became aware of this, we removed the relevant data from our website. We have undertaken a full review to identify the extent of any information that may have been accessible.

"Our primary concern is to ensure the protection and safeguarding of individuals who may be identifiable from the data.

"In many instances, the extent of the accessible information was only the name of the person making the complaint, with no further confidential details or specific details of their complaint."

The regulator said it was making contact with the individuals concerned to "apologise and to advise them of the extent of the data disclosed and what the next steps might be" and had taken "immediate action" to avoid a repeat incident. 

The FCA sought to reassure the public no financial, payment card, passport or other identity information were included in the data breach.

The watchdog has been keen to emphasis the importance of data sharing and privacy rules in recent months, teaming up with the ICO and the Financial Services Compensation Scheme to warn authorised firms of the importance of protecting client data. 

The move saw the FCA ready itself for a fresh crackdown on the industry as it warned some authorised firms and insolvency practitioners had attempted to unlawfully sell client data to claims management companies.

rachel.mortimer@ft.com 

What do you think about the issues raised by this story? Email us on fa.letters@ft.com to let us know.