Slapped wrists for Financial Conduct Authority staff who emailed work data home
(2025/06/13)
- Reference: 1749803352
- News link: https://www.theregister.co.uk/2025/06/13/fca_staff_data_breach/
- Source link:
Four staffers at the UK's Financial Conduct Authority (FCA) were let off with warnings over separate cases involving the transmission of regulator data to their personal email accounts.
Three of the employees at the authority received their first written warning for emailing unspecified data, according to a Freedom of Information Act (FoI) request. The financial watchdog looks after vast amounts of data, including complaints against companies. It also regulates when organizations in the finance sector suffer data breaches, and fined credit reference agency [1]Equifax £11 million ($15.7 million) for an incident that put millions of UK consumers at risk of financial crime.
The fourth staffer is already on their "final written warning" for emailing FCA data to themselves, which the body said violates its systems' acceptable use policy.
[2]
The cases took place in the 2022/23 financial year, and details of a possible fifth violation were included in the FCA's response, although they were withheld under section 40 of the FoI Act.
[3]
[4]
Section 40 exemptions come into play when disclosing information pertinent to the request would likely lead to the identification of the individual at fault. No similar incidents were identified in the financial years since.
The FCA, which employs more than 5,000 people, did not specify the nature of the data transmitted to personal email accounts or its size, although The Register asked it for clarity on the matter.
[5]
An FCA spokesperson provided a statement but did not comment on the nature of the data involved in these cases.
They said: "We take any breaches of our email security policies seriously and have systems and controls in place to manage breaches of email security. Breaches can and do result in an investigation and can lead to disciplinary sanctions.
"We have had no such incidents which required disciplinary sanctions in the years 2023/24 and 2024/25."
[6]
The regulator is responsible for overseeing the UK's financial services industry, and one of its responsibilities is to investigate data mishaps such as those caused by its own staff within organizations under its remit.
Like the Information Commissioner's Office (ICO), it has the power to issue punishments such as fines and other sanctions when organizations violate its rules.
Years before these data incidents took place, the regulator was forced to own up to a separate blunder involving the [7]accidental leak of data related to people who filed complaints against it.
Around 1,600 complainants had their personal information, including names, addresses, and phone numbers, included in an FoI response uploaded to its website back in 2020.
Since then, several other UK public sector organizations have confirmed breaches via similar means.
[8]Southend-on-Sea City Council , [9]Suffolk and Norfolk police , and the infamous [10]Police Service of Northern Ireland (PSNI) breaches all stemmed from mishandling FoI responses, with the latter proving [11]especially concerning for those involved.
[12]Home of the world's longest pleasure pier joins public sector leak club
[13]You're not seeing double – yet another UK copshop is confessing to a data leak
[14]Northern Ireland police may have endangered its own officers by posting details online in error
[15]2 charged over alleged New IRA terrorism activity linked to cops' spilled data
Commenting on the news of the FCA's four written warnings, Patrick Sullivan, CEO at the Parliament Street think tank, called the conduct involved "reckless and irresponsible," and called on the regulator to improve its data protection policies.
Andy Ward, SVP international at Absolute Security, said: "The FCA is tasked with managing extremely sensitive data, and the use of personal email accounts greatly increases the likelihood of a major security breach.
"Against the backdrop of several high profile cyberattacks, it's vital that all organizations wake up to the very real threat posed by unprotected devices and IT systems, and ensure cyber resilience is at the top of the [16]boardroom agenda ."
Arkadiy Ukolov, co-founder and CEO at Ulla Technology, said the scale of these offenses extends far beyond the small number at the FCA – tens of thousands of employees are sharing corporate information across personal email and [17]AI assistants "every day."
"The reality is that most companies have no idea this is happening or the [18]security risks involved ," he added. "That's why it's crucial that robust policies and procedures are put in place, so all information can only be shared through secure channels." ®
Get our [19]Tech Resources
[1] https://www.theregister.com/2023/10/13/equifax_fca_fine/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aEv2t3GpnDfy2IxKkaWKiwAAAAE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEv2t3GpnDfy2IxKkaWKiwAAAAE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEv2t3GpnDfy2IxKkaWKiwAAAAE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEv2t3GpnDfy2IxKkaWKiwAAAAE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEv2t3GpnDfy2IxKkaWKiwAAAAE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theguardian.com/business/2020/feb/25/fca-confidential-details-data-breach
[8] https://www.theregister.com/2023/11/06/southend_council_foi_leak/
[9] https://www.theregister.com/2023/08/15/norfolk_and_suffolk_police_data_breach/
[10] https://www.theregister.com/2023/08/09/psni_data_breach/
[11] https://www.theregister.com/2025/02/14/two_charged_psni_data/
[12] https://www.theregister.com/2023/11/06/southend_council_foi_leak/
[13] https://www.theregister.com/2023/08/15/norfolk_and_suffolk_police_data_breach/
[14] https://www.theregister.com/2023/08/09/psni_data_breach/
[15] https://www.theregister.com/2025/02/14/two_charged_psni_data/
[16] https://www.theregister.com/2025/03/10/nhs_security_culture/
[17] https://www.theregister.com/2025/04/29/metas_standalone_ai_app
[18] https://www.theregister.com/2025/05/14/cyberuk_ai_deployment_risks/
[19] https://whitepapers.theregister.com/
Three of the employees at the authority received their first written warning for emailing unspecified data, according to a Freedom of Information Act (FoI) request. The financial watchdog looks after vast amounts of data, including complaints against companies. It also regulates when organizations in the finance sector suffer data breaches, and fined credit reference agency [1]Equifax £11 million ($15.7 million) for an incident that put millions of UK consumers at risk of financial crime.
The fourth staffer is already on their "final written warning" for emailing FCA data to themselves, which the body said violates its systems' acceptable use policy.
[2]
The cases took place in the 2022/23 financial year, and details of a possible fifth violation were included in the FCA's response, although they were withheld under section 40 of the FoI Act.
[3]
[4]
Section 40 exemptions come into play when disclosing information pertinent to the request would likely lead to the identification of the individual at fault. No similar incidents were identified in the financial years since.
The FCA, which employs more than 5,000 people, did not specify the nature of the data transmitted to personal email accounts or its size, although The Register asked it for clarity on the matter.
[5]
An FCA spokesperson provided a statement but did not comment on the nature of the data involved in these cases.
They said: "We take any breaches of our email security policies seriously and have systems and controls in place to manage breaches of email security. Breaches can and do result in an investigation and can lead to disciplinary sanctions.
"We have had no such incidents which required disciplinary sanctions in the years 2023/24 and 2024/25."
[6]
The regulator is responsible for overseeing the UK's financial services industry, and one of its responsibilities is to investigate data mishaps such as those caused by its own staff within organizations under its remit.
Like the Information Commissioner's Office (ICO), it has the power to issue punishments such as fines and other sanctions when organizations violate its rules.
Years before these data incidents took place, the regulator was forced to own up to a separate blunder involving the [7]accidental leak of data related to people who filed complaints against it.
Around 1,600 complainants had their personal information, including names, addresses, and phone numbers, included in an FoI response uploaded to its website back in 2020.
Since then, several other UK public sector organizations have confirmed breaches via similar means.
[8]Southend-on-Sea City Council , [9]Suffolk and Norfolk police , and the infamous [10]Police Service of Northern Ireland (PSNI) breaches all stemmed from mishandling FoI responses, with the latter proving [11]especially concerning for those involved.
[12]Home of the world's longest pleasure pier joins public sector leak club
[13]You're not seeing double – yet another UK copshop is confessing to a data leak
[14]Northern Ireland police may have endangered its own officers by posting details online in error
[15]2 charged over alleged New IRA terrorism activity linked to cops' spilled data
Commenting on the news of the FCA's four written warnings, Patrick Sullivan, CEO at the Parliament Street think tank, called the conduct involved "reckless and irresponsible," and called on the regulator to improve its data protection policies.
Andy Ward, SVP international at Absolute Security, said: "The FCA is tasked with managing extremely sensitive data, and the use of personal email accounts greatly increases the likelihood of a major security breach.
"Against the backdrop of several high profile cyberattacks, it's vital that all organizations wake up to the very real threat posed by unprotected devices and IT systems, and ensure cyber resilience is at the top of the [16]boardroom agenda ."
Arkadiy Ukolov, co-founder and CEO at Ulla Technology, said the scale of these offenses extends far beyond the small number at the FCA – tens of thousands of employees are sharing corporate information across personal email and [17]AI assistants "every day."
"The reality is that most companies have no idea this is happening or the [18]security risks involved ," he added. "That's why it's crucial that robust policies and procedures are put in place, so all information can only be shared through secure channels." ®
Get our [19]Tech Resources
[1] https://www.theregister.com/2023/10/13/equifax_fca_fine/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aEv2t3GpnDfy2IxKkaWKiwAAAAE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEv2t3GpnDfy2IxKkaWKiwAAAAE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEv2t3GpnDfy2IxKkaWKiwAAAAE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEv2t3GpnDfy2IxKkaWKiwAAAAE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEv2t3GpnDfy2IxKkaWKiwAAAAE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theguardian.com/business/2020/feb/25/fca-confidential-details-data-breach
[8] https://www.theregister.com/2023/11/06/southend_council_foi_leak/
[9] https://www.theregister.com/2023/08/15/norfolk_and_suffolk_police_data_breach/
[10] https://www.theregister.com/2023/08/09/psni_data_breach/
[11] https://www.theregister.com/2025/02/14/two_charged_psni_data/
[12] https://www.theregister.com/2023/11/06/southend_council_foi_leak/
[13] https://www.theregister.com/2023/08/15/norfolk_and_suffolk_police_data_breach/
[14] https://www.theregister.com/2023/08/09/psni_data_breach/
[15] https://www.theregister.com/2025/02/14/two_charged_psni_data/
[16] https://www.theregister.com/2025/03/10/nhs_security_culture/
[17] https://www.theregister.com/2025/04/29/metas_standalone_ai_app
[18] https://www.theregister.com/2025/05/14/cyberuk_ai_deployment_risks/
[19] https://whitepapers.theregister.com/
Andy Non
"workarounds"
At one place I worked at 20+ years ago, corporate security and software development were housed in different buildings and were often at odds with each other at a senior level well beyond my pay grade. I was given the opportunity to do some software development working from home on my own desktop computer. The problem was transferring program source code between my corporate PC and home computer. The work computer was locked down to within an inch of its life with USB ports blocked and no way to use floppy disks, CDs etc. It wasn't possible to email program code by email, even if zipped. It never got past the firewall restrictions. Similarly encrypted files or password protected files were blocked.
However, the company did do a lot of work with data and transferring data via email so: Workaround. I knocked up a little program that converted zip files of my program code into CSV files which had numbers in the range 0 to 255. Innocent looking numeric data which went through the firewall without issue. My little program simply recreated the software source code zip files at the other end. What a faff though. While my boss was very happy with this arrangement, I doubt corporate security would have been so happy, had they ever found out.
Anonymous Coward
Businesses don't really want to stop this, people taking work home is free overtime.
What they need to to is either find a way to allow this to happen in a controlled way (encryption, remote access etc) or find a way to stop it.
These are not new problems, there are many solutions, spend some fucking money and fix it.
This sort of behaviour is often the result of the employees being supplied IT kit that is so locked down that it makes work difficult or impossible (USB ports disabled, cannot print to a printer other than one in the office when WFH). By trying to make things more secure the employer ends up making thing less secure due to these workarounds.