The UK Financial Conduct Authority (FCA) has admitted to a data breach that exposed confidential information belonging to roughly 1,600 consumers.
On Tuesday, the financial watchdog said it the information exposure occurred following the public release of data in response to a Freedom of Information Act (FOI) request.
FOI requests can be made in the United Kingdom for records held by public authorities. The request at the heart of the data leak was made in relation to how many complaints were made against the FCA -- and handled by the authorities' complaints team -- between January 2, 2018, and July 17, 2019.
When these records were published and made available on the FCA website in a document, the confidential information of complainants, of which there were approximately 1,600 during this timeframe, was also made public.
"Certain underlying confidential information may have been accessible," the FCA says. "The publication of this information was a mistake."
Names, complaint descriptions, addresses, telephone numbers, and other information was exposed, although it is believed that roughly half of the individuals included only had their names revealed, and nothing else.
No financial information, passport, or other ID records were published, the agency added.
The FCA has now removed the records and is contacting the consumers involved in the leak directly to apologize.
The UK's Information Commissioner's Office (ICO) has been notified of the incident, in which FCA officials have likely been left red-faced -- especially as the regulator previously fined UK supermarket chain Tesco £16.4 million for lax security standards in the wake of a cyberattack against customers.
The ICO is responsible for conducting investigations into GDPR complaints and issuing fines; at least, for now, considering the potential ramifications of Brexit on data protection laws. Over 160,000 data breach notifications have been forwarded to the ICO in the last 18 months.
"We have taken immediate action to ensure this cannot happen again," the FCA said. "We have undertaken a full review to identify the extent of any information that may have been accessible. Our primary concern is to ensure the protection and safeguarding of individuals who may be identifiable from the data."
Previous and related coverage
- GDPR: 160,000 data breaches reported already, so expect the big fines to follow
- Cybersecurity alliance launches first open source messaging framework for security tools
- Health Share of Oregon discloses data breach, theft of member PII
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0