The JFCS SAYS it has made changes in its drive to avoid further data breaches

The JEP reported on November 11, 2025, that the External Relations Minister said

• CHANGES to the way the financial services regulator handles sensitive information have been made to ensure that data breaches – like one that saw 67,000 names and addresses posted online* – cannot happen again.

Deputy Ian Gorst, speaking in an Economic and International Affairs Scrutiny Panel hearing yesterday, said that.

• He had been assured that the Jersey Financial Services Commission was “extremely mindful” of the data that it held and
• That it had “made the necessary changes” to reduce the risk of further breaches.

Last month, the Jersey Office of the Information Commissioner

• Issued a public reprimand to the JFSC for a system flaw which allowed public access to a confidential register containing the names and addresses of nearly 67,000 people.
• There was no evidence that this information had been used to the detriment of any individual on the register.

Despite this, no fine was issued as public authorities cannot be fined for data protection breaches.

Deputy Gorst said:

• “I am advised and assured that they have made the necessary changes and enhancements to ensure that those breaches don’t occur again.
• “What I think is also important is that we recognise that some of the UK’s blue-chip institutions probably could have stood in front of you and made the same commitment, and they’ve been ultimately found wanting.
• “I know that from the regulator’s perspective, they are extremely mindful of how sensitive the data is that they hold – a bit like Revenue Jersey – and therefore they’ve got to have the best available systems to them.
• We also know, of course, once something’s gone wrong, it’s how we then deal with it and how we move forward, which is the most important thing, but I am advised that their system is such that all of the open areas have been closed and the system has been changed to ensure that it doesn’t happen again.”

During the hearing, Deputy Gorst also

• Rejected claims that there was a lack of cybersecurity guidance in Jersey.

Panel chair Deputy Montfort Tadier said

• He had been contacted by someone from the financial services industry who said there were “almost no rules” and that a number of firms were turning to Guernsey guidance to establish best practices.

The minister said:

• “I think that would be a slightly unfair characterisation of what Jersey per se is doing, because the [Jersey] Cyber Security Centre has issued guidance and it does very good work.”

*Comsure Footnote

COMSURE NOTE ON THE MINISTERS COMMENTS:

• What happened?
  A vulnerability in the JFSC’s registry system allowed unauthorised access to non-public names and addresses via an API. This issue was discovered on 23 January 2024 and fixed within an hour, with a permanent solution deployed later. [channeleye.media]
• How many records were affected?
  Approximately 66,806 individual records (names and addresses only) were accessed illegally. These details were not meant to be public and were not linked to any specific registered entity or role. [comsuregroup.com]
• Were the details posted online?
  JFSC has stated that, after forensic reviews and dark web searches, they found no evidence that the data has been exposed online. Monitoring is ongoing. [channeleye.media]
• Impact and response:
  JFSC holds about 1 million records in its registry. They wrote directly to 2,477 individuals assessed as higher risk under the Data Protection (Jersey) Law 2018. They also issued a public statement and are working with the Jersey Office of the Information Commissioner. [comsuregroup.com]

So, while the breach did occur and 66,806 names and addresses were accessed, there is no confirmed evidence that these were posted online.

Source

https://app.jerseyeveningpost.com/regulator-makes-changes-in-drive-to-avoid-further-data-breaches/content.html