It happens to the best of us. A UK regulator the FCA (Financial Conduct Authority) has been forced to report itself to another regulator, the Information Commissioner’s Office, after it shared confidential customer information inadvertently on its website.
It appears that, in response to a Freedom of Information request, the FCA published the details of a number of complaints on its website. In many instances, the extent of the accessible information was only the name of the person making the complaint, with no further confidential details or specific details of their complaint.
However, there were a few instances where additional confidential information was contained within the description of the complaint, such as an address or telephone number.
This may not sound particularly serious but it would put the individuals whose data was exposed in this way at increased risks from fraudsters. They might pretend to be from the FCA, perhaps offering compensation “and of course we will need your bank details to pay you”.
The FCA has taken swift and appropriate actions to reduce this risk. “Where this is the case, we are making direct contact with the individuals concerned to apologise and to advise them of the extent of the data disclosed and what the next steps might be.”
This is absolutely best practice: if the people affected by a breach are warned of the potential danger they may be in, they are far less likely to fall victim to it. Many businesses that have responded less openly to a breach could learn from this.
But why did the breach happen in the first place? It appears to be a simple case of human error. Piers Wilson, Head of Product Management at Huntsman Security commented: “To see the FCA having to refer itself to the ICO shows how easily data can be exposed through human error. In this case it is the inadvertent sharing of a FOI response with personal data contained within it, but it can also happen through deliberate or careless sharing of spreadsheets, data sets or documents, or the transmission of emails to wrongly addressed recipients. No matter what an organisation does, or how much experience it has in security and privacy mistakes can happen. These can be when information is intended to be shared but hasn't been sanitised, or when information stored, transmitted or shared in other ways.”
As Piers Wilson says, this sort of thing can happen all too easily. It shows the necessity of training all staff, and not just those directly concerned with data security and privacy, in the importance of keeping personal data safe.
David Howorth at Rapid7 agrees, saying that the breach "highlights the importance of providing security awareness training and education for employees so that they can understand how to appropriately handle customer data as well as recognize and respond appropriately to a potential attack. As this story shows, employees can be the weakest link when it comes to security. In the end, everyone makes mistakes but organisations can take some simple yet effective steps to keep their data safe."
Those simple steps, at least in part, involve training backed up by awareness campaigns. This can take time. But no doubt the FCA has already tightened its processes around the sharing of personal data in any circumstance as an additional defence.