Jersey's financial services regulator suffers second security issue this year

Jersey’s Financial Services regulator has reported its second security issue of 2024.

The Jersey Financial Services Commission (JFSC) became aware on 24th June 2024 of an issue which inadvertently occurred during maintenance of their Registry System.

This issue resulted in information on the 2021 Transition and Annual Confirmation form, some of which was non-public information, becoming publicly accessible from 21st to 24th June, affecting 261 people. It was caused by human error during routine systems maintenance where change control protocols were not applied correctly.

The JFSC say that as they became aware of this issue, they “acted immediately and remedied the situation on the same day”.

The JFSC said: “We are engaged with the Jersey Office of the Information Commissioner. Trust and confidence in the security and confidentiality of our Registry System is a critical priority.

“We are sorry this issue occurred and have undertaken a thorough review to pinpoint the exact cause to ensure this does not happen again.

“We have written to those individuals affected and notified the relevant Trust Company Businesses. ”

The previous JFSC security issue this year

The JFSC say this issue is not connected to the system vulnerability reported earlier this year.

The JFSC instigated an independent investigation into a separate Registry System vulnerability that was detected on 23rd January 2024. The findings of the investigation are not due until late “Summer 2024”.

The JFSC said: “The [first] issue has been resolved and we have protocols in place to manage maintenance and changes to our systems. We will take learnings from this incident to help ensure that errors do not occur in future.

“We accept that no data breach is acceptable and continue to work hard to ensure controls are in place to protect the information we hold.

“All JFSC systems and networks are subject to comprehensive risk assessments, and periodic external testing to ensure the security of systems and data. Additionally, JFSC systems are subject to 24/7 security monitoring by a specialist provider.”

What happened?

As part of a minor maintenance update, a form that should not have been publicly available was categorised as ‘public’ in error.

The JFSC say that they have undertaken a review to pinpoint the exact cause to ensure this does not happen again.

Have you been impacted?

The JFSC say that they have written to those individuals affected and notified the relevant Trust Company Businesses.

“In accordance with the Data Protection (Jersey) Law 2018, we have a legal obligation to communicate directly with those individuals where we have assessed, based upon risk, that this is appropriate. We have written directly to those affected and the relevant Trust Company Businesses.”

Should further support be required, the JFSC has a dedicated team who can be contacted by telephone and email: