UK financial watchdog admits to leaking confidential consumer data

A Freedom of Information Act request published on the FCA website revealed more than it should.
Written by Charlie Osborne, Contributing Writer

The UK Financial Conduct Authority (FCA) has admitted to a data breach that exposed confidential information belonging to roughly 1,600 consumers. 

On Tuesday, the financial watchdog said it the information exposure occurred following the public release of data in response to a Freedom of Information Act (FOI) request.

FOI requests can be made in the United Kingdom for records held by public authorities. The request at the heart of the data leak was made in relation to how many complaints were made against the FCA -- and handled by the authorities' complaints team -- between January 2, 2018, and July 17, 2019. 

See also: Slickwraps says customer trust was 'violated' in data breach caused by glaring security holes

When these records were published and made available on the FCA website in a document, the confidential information of complainants, of which there were approximately 1,600 during this timeframe, was also made public. 

"Certain underlying confidential information may have been accessible," the FCA says. "The publication of this information was a mistake."

Names, complaint descriptions, addresses, telephone numbers, and other information was exposed, although it is believed that roughly half of the individuals included only had their names revealed, and nothing else. 

No financial information, passport, or other ID records were published, the agency added. 

The FCA has now removed the records and is contacting the consumers involved in the leak directly to apologize. 

CNET: 6 steps to a secure Windows 10 device, because the security defaults aren't enough

The UK's Information Commissioner's Office (ICO) has been notified of the incident, in which FCA officials have likely been left red-faced -- especially as the regulator previously fined UK supermarket chain Tesco £16.4 million for lax security standards in the wake of a cyberattack against customers.  

The ICO is responsible for conducting investigations into GDPR complaints and issuing fines; at least, for now, considering the potential ramifications of Brexit on data protection laws. Over 160,000 data breach notifications have been forwarded to the ICO in the last 18 months. 

TechRepublic: Financial services companies are ahead in hybrid cloud deployments

"We have taken immediate action to ensure this cannot happen again," the FCA said. "We have undertaken a full review to identify the extent of any information that may have been accessible. Our primary concern is to ensure the protection and safeguarding of individuals who may be identifiable from the data."

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards