Call us +44 (0) 1534 626830
Home News JFSC data vulnerability incident in June 2024 affects 261 people.
News
Print Article

JFSC data vulnerability incident in June 2024 affects 261 people.

14/07/2024

On 24 June 2024, the JFSC was alerted to an issue that had inadvertently occurred during registry system maintenance.

This resulted in information on the 2021 Transition and Annual Confirmation form, some non-public information, becoming publicly accessible from 21 to 24 June, affecting 261 people.

The JFSC Registry issued a cyber/data incident public statement on 12 July 2024.

The highlights are:-

  1. This incident was caused by human error during routine systems maintenance, where change control protocols were not applied correctly.
  2. The issue has now been resolved.
  3. The information was in the JFSC 2021 Transition and Annual Confirmation form. Some non-public information became publicly accessible from 21 to 24 June, affecting 261 people.
  4. The JFSC has written to those individuals affected and notified the relevant Trust Company Businesses.

Previous registry system vulnerability detected on 23 January 2024?

  1. The JFSC says there is no connection. The previous registry system vulnerability was detected on 23 January 2024.
  2. The JFSC instigated an independent investigation into a separate registry system vulnerability detected on 23 January 2024.
  3. The findings of the investigation are due in late Summer 2024.
THE JFSC SAYS.
  • As soon as we became aware of this issue, we acted immediately and remedied the situation on the same day. We are engaged with the Jersey Office of the Information Commissioner.
  • Trust and confidence in the security and confidentiality of our registry system is a critical priority.
  • We are sorry this issue occurred and have undertaken a thorough review to pinpoint the exact cause to ensure this does not happen again.
  • We understand the importance of this situation and are committed to communicating with you in an open and open manner.
  • We have written to those individuals affected and let the Trust Company Businesses know.
FAQS – THE JFSC SAYS

Who accessed the data, and what has happened to it?

  1. It is common for registry users to download publicly available documents for bona fide business reasons.
  2. A registry user downloading a form receives it electronically via an email provided. In all cases we hold these recipient email addresses. However, in line with our obligations with respect to the Data Protection (Jersey) Law 2018 we cannot disclose recipient details.
  3. Our assessment of registry user activity over the period was normal and in line with expectations. We also know that in the majority of cases, the form was downloaded as part of a bundle of forms when the user chose ‘select all’.
  4. We are therefore concluding that the 2021 Transition and Annual Confirmation form was likely to have been inadvertently accessed as part of normal user activity during the limited period it was available to view.
  5. We also know that the majority of forms were downloaded on only one occasion.

How did this happen?

  1. As part of a minor maintenance update, a form that should not have been publicly available was categorised as ‘public’ in error.
  2. We have undertaken a thorough review to pinpoint the exact cause to ensure this does not happen again.

Can you provide reassurance that JFSC’s systems are secure?

  1. The issue has been resolved and we have protocols in place to manage maintenance and changes to our systems. We will take learnings from this incident to help ensure that errors do not occur in future.
  2. We accept that no data breach is acceptable and continue to work hard to ensure controls are in place to protect the information we hold.
  3. All JFSC systems and networks are subject to comprehensive risk assessments, and periodic external testing to ensure the security of systems and data. Additionally, JFSC systems are subject to 24/7 security monitoring by a specialist provider.

How did the JFSC determine who was impacted?

  1. In accordance with the Data Protection (Jersey) Law 2018, the JFSC have a legal obligation to communicate directly with those individuals where we have assessed, based upon risk, that this is appropriate.
  2. We undertook a risk assessment with reference to the framework proposed by the European Union Agency for Cyber Security (ENISA). The result of that risk assessment informed our decision to individually notify the 261 individuals.
SOURCES

https://www.jerseyfsc.org/registry-system-public-statement-12-july-2024/

JERSEY DATA PROTECTION

The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more

Gallery

View our latest imagery from our news and work

Find out more

Contact

Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.  
×

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.  

news disclaimer -

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.