Watchdog investigating JFSC breach of 67k people's private data

Friday 22 March 2024

Jersey's data protection authority has confirmed a probe into Jersey's financial services watchdog remains ongoing after it emerged that the "restricted data" of nearly 67,000 individuals was able to be accessed due to a system flaw dating back three years.

The Jersey Financial Services Commission confirmed earlier this month that the flaw allowed public access to a confidential register containing the names and addresses of 66,806 individuals associated with finance companies.

This included beneficial owners, controllers, directors, members, nominated persons, and company secretaries.

The vulnerability in the system dates back to 2021 when the registry was implemented, the JFSC confirmed, meaning the restricted personal information has been open to the public for the past three years. 

The JFSC clarified that the data did not link individuals to specific entities or roles.

The Jersey Office of the Information Commissioner this week confirmed that it is currently investigating the matter.

However, the data watchdog said it will not be making any public comment at this stage.

Pictured: The JFSC confirmed that the vulnerability in the system dates back to 2021 when the registry was implemented.

In a statement on 7 March, the JFSC said it first learned of the issue on 23 January.

It confirmed that "an immediate fix was implemented within the hour of our becoming aware of the issue, and a permanent remedy issued by the software provider was then deployed" and has since been working with the Jersey Office of the Information Commissioner.

The financial services regulator said that it was not possible to say "with certainty" who had accessed the data because this was done via a public API.

The JFSC wrote to only 2,477 of the 66,806 affected individuals because this was the number of people they were legally obligated to inform. 

In a statement, the JFSC said: “We deeply regret this has occurred and are currently undertaking further investigations to determine how this happened.

“We understand that no data compromise is acceptable, and we work hard to ensure controls are in place to protect the information we hold.”

Pictured: Deputy Ian Gorst said that he had commissioned an independent investigation to determine that the actions taken to date have been appropriate.

The Minister with responsibility for Financial Services, Deputy Ian Gorst said: “I am assured by the JFSC that they have resolved a vulnerability that has affected a limited number of entries in their online Registry system.

“I am sorry that that this fault occurred, and I understand that the JFSC are conducting the most thorough of investigations to make sure lessons are learned and the design of the Register is improved and strengthened.

“Further to this, I have commissioned an independent investigation to determine that the actions taken to date have been appropriate. I will not be making any further comment until this inquiry has been completed.”

The JFSC said they will regularly update their website with information and will commission an independent review. 

The Guernsey Financial Services Commission also this week confirmed to Express that it does not run the same software as the JFSC, so had not been "directly affected by the same vulnerability".

In a statement, the GFSC said: "As with any organisation that operates public facing systems that collect and disseminate information, the Commission runs regular penetration tests.

"Recent tests have included checks for vulnerabilities in the configuration and set up of our Application Programming Interface (API) and at that time no such issues been detected in the Commission’s portals.”