If you were to list the top five organisations in Jersey that need water-tight security, the Jersey financial services regulator would be right up there. Take a moment to think about the highly confidential information they hold and process, such as beneficial ownership and investigations.
Unfortunately, JFSC’s online registry has had a security vulnerability since January 2021, being discovered three years later on 23rd January 2024.
The JFSC’s web application pulls data from the Registry system using Application Programming Interfaces (APIs). APIs are commonly used as a channel to move data between different applications. When searches are made, the web application and API filter them to ensure access is only provided to publicly available data. When data is returned, the web address contains a reference to the data record in the registry.
Under certain circumstances, if this reference was changed, the API would not filter the request appropriately and this could return a different record containing restricted data. On discovery of the issue, a fix was implemented within the hour, and a permanent remedy issued by the software provider was then deployed.
The Jersey Financial Services Commission (JFSC) have confirmed that their corporate network was not compromised. Also, with the support of an independent cyber security partner, they have conducted searches, including on the dark web, to see if there is any evidence that the data has been exposed. They have no evidence of this, and monitoring is ongoing.
The JFSC say they: “Have conducted an initial forensic review with an independent cyber security partner. This review identified that the vulnerability was due to a misconfiguration in our third party-supplied Registry system, which had been implemented in January 2021.
“This vulnerability allowed access to non-public names and addresses. It did not link any individuals to registered entities or roles held.
“We immediately took action to resolve the issue and have separately written to certain individuals whose name and address was accessed and to whom we owe an obligation to communicate individually.
“We deeply regret this has occurred and are currently undertaking further investigations to determine how this happened. We have been working throughout with the Jersey Office of the Information Commissioner.”
The JFSC holds approximately 1 million separate records in the Registry system. In many instances, this includes individuals who are listed on multiple occasions due to the numerous roles they hold and different relationships with multiple service providers.
Of these, 66,806 individuals have had their names and addresses accessed via the API in circumstances where this information was not already in the public domain through the registry system.
Of the 66,806, the JFSC says they have written to the 2,477 people who they have assessed may be potentially impacted, in accordance with their obligations under the Data Protection (Jersey) Law 2018.
The JFSC said: “Only names and addresses were accessed with no link to any specific registered entity or any role held. We have written directly to those people who we have assessed fall into a higher risk category.”
If you have been affected or are worried that you have been impacted, you can contact the JFSC at [email protected].
