Jersey’s financial services watchdog has avoided a fine after after the “restricted data” of nearly 67,000 individuals was put at risk by a system flaw dating back three years.
The issue first came to light in March 2024, with the Jersey Financial Services Commission confirming that the flaw allowed public access to a confidential register containing the names and addresses of 66,806 individuals associated with finance companies.
This included beneficial owners, controllers, directors, members, nominated persons, and company secretaries.
The vulnerability in the system dated back to 2021 when the registry was implemented, meaning the restricted personal information has been open to the public for three years.
But now, following a full investigation by the data protection watchdog, it has today emerged that the JFSC will not be fined for the breach.
In a statement published this afternoon, the Jersey Office of the Information Commissioner concluded that the nature of the breach would have warranted initiating the process to consider an administrative fine but “as public authorities are not subject to such fines under the current framework, no further consideration was given to this”.
The data protection watchdog also confirmed that there was no evidence that the personal information had been used to the detriment of individuals affected, and no complaints had been received from individuals affected by the breach.
The JFSC co-operated fully with the inquiry and “made full and frank admissions as to the shortcomings in various areas that led to system vulnerability”, the statement said.
The JOIC therefore concluded that it was “satisfied that there is little risk to individuals regarding a re-occurrence of these vulnerabilities in system security”.
In a statement posted online, the JFSC said it was “deeply sorry this data breach occurred”, and fully accepted the JOIC’s findings.
The statement continued: “Together with a forensic review, we commissioned an independent third-party root cause analysis. All actions arising from this analysis have been completed, and we worked closely with JOIC throughout this process.
“We appreciate JOIC’s recognition of the steps we have taken to address the issues identified, and we remain committed to maintaining and enhancing the technical and organisational measures necessary to ensure the continued protection of data.
“We are grateful to JOIC for their engagement and guidance throughout this process, and to our wider stakeholder community.
“We will continue to embrace best practice to protect stakeholder data and Jersey’s reputation as a leading international finance centre.”