FCA data leak branded “embarrassment”, former CEO called for review
The Financial Conduct Authority (FCA), the UK regulator which fines financial institutions for data breaches, has admitted to its own data breach after victims of the collapsed savings firm London Capital & Finance (LCF) were sent messages by scammers.
LCF customers, including the prolific Brexiteer businessman Aaron Banks, were among 1,600 people whose names, addresses and phone numbers were accidentally published on the FCA’s website.
News of the leak arrives as UK activist Gina Miller and MPs call for the FCA’s former CEO Andrew Bailey, who is set to become the new Bank of England governor next month, to undergo a review due to what Miller calls a “tsunami of failure” under his leadership at the FCA.
Miller says the appointment of Bailey would be a “gross betrayal of the government’s duty to protect consumers and a textbook example of rewarding failure”. Currently, Christopher Woolard is the FCA’s interim CEO.
The details leaked on the regulator’s website between November 2019 and this month were from people who had made complaints between January 2018 and July 2019, during which LCF fell into administration, owing £237 million to more than 12,000 people.
Many customers also complained about the FCA’s conduct surrounding the firm’s collapse, after it was revealed that the regulator had repeatedly failed to act on warnings from whistleblowers.
David Emm, a principle security researcher at Russian cybersecurity firm Kaspersky, calls the leak an “embarrassment”.
“The leaking of confidential data can cause embarrassment for any company, but particularly for a regulator – and one that, a little over a year ago, fined another organisation for failure to take care of customer data.”
In September 2018, the FCA and the Information Commissioner’s Office (ICO) closed investigations into the Equifax breach with a half a million pound fine. The breach, though much bigger in scale than the FCA’s, had some of the same trademarks as the regulator’s leak, such as data being left vulnerable to unauthorised access.
The FCA said in a statement acknowledging the breach: “As soon as we became aware of this, we removed the relevant data from our website.”
The regulator continues: “We are making direct contact with the individuals concerned to apologise and to advise them of the extent of the data disclosed […] We have taken immediate action to ensure this cannot happen again.”
The case has now been referred to the ICO.