FCA warned four staffers who pocketed regulator data • The Register

Four staffers at the UK’s Financial Conduct Authority (FCA) were let off with warnings over separate cases involving the transmission of regulator data to their personal email accounts.

Three of the employees at the authority received their first written warning for emailing unspecified data, according to a Freedom of Information Act (FoI) request. The financial watchdog looks after vast amounts of data, including complaints against companies. It also regulates when organizations in the finance sector suffer data breaches, and fined credit reference agency Equifax £11 million ($15.7 million) for an incident that put millions of UK consumers at risk of financial crime.

The fourth staffer is already on their “final written warning” for emailing FCA data to themselves, which the body said violates its systems’ acceptable use policy.

The cases took place in the 2022/23 financial year, and details of a possible fifth violation were included in the FCA’s response, although they were withheld under section 40 of the FoI Act. 

Section 40 exemptions come into play when disclosing information pertinent to the request would likely lead to the identification of the individual at fault. No similar incidents were identified in the financial years since.

The FCA, which employs more than 5,000 people, did not specify the nature of the data transmitted to personal email accounts or its size, although The Register asked it for clarity on the matter.

An FCA spokesperson provided a statement but did not comment on the nature of the data involved in these cases.

They said: “We take any breaches of our email security policies seriously and have systems and controls in place to manage breaches of email security. Breaches can and do result in an investigation and can lead to disciplinary sanctions.

“We have had no such incidents which required disciplinary sanctions in the years 2023/24 and 2024/25.”

The regulator is responsible for overseeing the UK’s financial services industry, and one of its responsibilities is to investigate data mishaps such as those caused by its own staff within organizations under its remit.

Like the Information Commissioner’s Office (ICO), it has the power to issue punishments such as fines and other sanctions when organizations violate its rules.

Years before these data incidents took place, the regulator was forced to own up to a separate blunder involving the accidental leak of data related to people who filed complaints against it.

Around 1,600 complainants had their personal information, including names, addresses, and phone numbers, included in an FoI response uploaded to its website back in 2020.

Since then, several other UK public sector organizations have confirmed breaches via similar means.

Southend-on-Sea City Council, Suffolk and Norfolk police, and the infamous Police Service of Northern Ireland (PSNI) breaches all stemmed from mishandling FoI responses, with the latter proving especially concerning for those involved.

Commenting on the news of the FCA’s four written warnings, Patrick Sullivan, CEO at the Parliament Street think tank, called the conduct involved “reckless and irresponsible,” and called on the regulator to improve its data protection policies.

Andy Ward, SVP international at Absolute Security, said: “The FCA is tasked with managing extremely sensitive data, and the use of personal email accounts greatly increases the likelihood of a major security breach.

“Against the backdrop of several high profile cyberattacks, it’s vital that all organizations wake up to the very real threat posed by unprotected devices and IT systems, and ensure cyber resilience is at the top of the boardroom agenda.”

Arkadiy Ukolov, co-founder and CEO at Ulla Technology, said the scale of these offenses extends far beyond the small number at the FCA – tens of thousands of employees are sharing corporate information across personal email and AI assistants “every day.”

“The reality is that most companies have no idea this is happening or the security risks involved,” he added. “That’s why it’s crucial that robust policies and procedures are put in place, so all information can only be shared through secure channels.” ®