Consumers have been left wondering whether their personal data was left open to the wider public following a recent Financial Conduct Authority (FCA) data breach.
Last month the FCA admitted that, in November 2019, it wrongly published information on its website about people who had submitted complaints to the regulator.
The breach came to light after the watchdog received a freedom of information (FOI) request asking it to share the number and nature of complaints received between 2 January 2018 and 17 July 2019.
During that period, many London Capital & Finance (LCF) bondholders complained to the FCA following the collapse of the investment firm, which sold £237m ($303.1m, €272.9m) worth of mini-bonds to over 11,600 clients.
International Adviser caught up with one of the LCF victims whose personal data was publicly accessible.
Timeline of events
The bondholder, who wishes to remain anonymous, found out their information had been exposed on the FCA’s website, despite never having sent a complaint in the first place.
The LCF investor wrote to the regulator’s chief executive, Andrew Bailey, in April 2019 to provide evidence about the investment firm, as the FCA was undertaking an investigation into the mini-bond business.
A week later, they received an email from the watchdog saying that their letter had been forwarded to the complaints team and they were provided with a reference number.
The victim then contacted the watchdog to query why the letter was being treated as a complaint.
The FCA acknowleged that this was an error and told them that their ‘case’ had been closed.
Despite this assurance, the victim was included in an email communication from the FCA a week later regarding complaints from LCF bondholders.
Less than half hour later, the watchdog called to apologise, as they shouldn’t have been included in the correspondence because their letter to the FCA was not a complaint.
Double whammy
A year on, the LCF bondholder told IA that their details were not retracted from the complaints data set, as their personal information had been publicly accessible for around three months.
They contacted the regulator immediately after the data breach, and were told that people were able to see their first and last names.
But the victim said that other LCF victims have had their addresses and mobile phone numbers released.
IA reached out to the FCA for comment and the regulator said: “We cannot comment on individual cases, but we are continuing to engage with potentially impacted individuals and are monitoring developments.”
Some LCF investors have also been targeted by scammers to discuss compensation, but it is not clear whether this is related to the breach of their personal data.
