Jersey’s data regulator [JOIC] cannot fine JFSC for a 2024 “3-year vulnerability” data breach

In January 2024, JFSC’s Data Protection Officer contacted the Authority to advise that JFSC had suffered a personal data breach involving its Companies Registry portal due to a critical flaw in third-party-provided software implemented in 2021.

This has now been investigated, and the Jersey Office of the Information Commissioner [JOIC] has published its findings, and has said:-

• The JFSC  has avoided a fine after the “restricted data” of nearly 67,000 individuals was put at risk by a system flaw dating back three years.

The issue first came to light in March 2024, with the Jersey Financial Services Commission confirming that the flaw allowed public access to a confidential register containing the names and addresses of 66,806 individuals associated with finance companies.

• This included beneficial owners, controllers, directors, members, nominated persons, and company secretaries.
• The vulnerability in the system dates back to 2021, when the registry was implemented, meaning the restricted personal information has been accessible to the public for three years.

In a statement published this afternoon, the Jersey Office of the Information Commissioner concluded

• The nature of the breach would have warranted initiating the process to consider an administrative fine.
• But “as public authorities are not subject to such fines under the current framework, no further consideration was given to this”.

The data protection watchdog also confirmed that.

• There was no evidence that the personal information had been used to the detriment of the affected individuals, and
• That no complaints had been received from them.
• The JFSC co-operated fully with the inquiry and “made full and frank admissions as to the shortcomings in various areas that led to system vulnerability”,

The JOIC, therefore, concluded that it was

• “Satisfied that there is little risk to individuals regarding a re-occurrence of these vulnerabilities in system security”.

In a statement posted online, the JFSC said it was

• “Deeply sorry this data breach occurred” and fully accepted the JOIC’s findings.
• “Together with a forensic review, we commissioned an independent third-party root cause analysis. All actions arising from this analysis have been completed, and we worked closely with JOIC throughout this process.
• “We appreciate JOIC’s recognition of the steps we have taken to address the issues identified, and we remain committed to maintaining and enhancing the technical and organisational measures necessary to ensure the continued protection of data.
• “We are grateful to JOIC for their engagement and guidance throughout this process, and to our wider stakeholder community.
• “We will continue to embrace best practice to protect stakeholder data and Jersey’s reputation as a leading international finance centre.”

Source

• https://www.jerseyfsc.org/news-and-events/jfsc-response-to-the-jersey-office-of-the-information-commissioners-public-statement/
• https://www.bailiwickexpress.com/news/jfsc-avoids-fine-after-data-breach-impacting-nearly-67k-people/
• JOIC 2025 public statement
• https://jerseyoic.org/news-articles/public-statement-v2/authority-issues-public-statement-to-jersey-financial-services-commission/
• JFSC 2024 public statement on the Registry system vulnerability
• https://www.jerseyfsc.org/registry-system-public-statement-7-march-2024/