Reference Case Number: FOI8294
Freedom of Information: Right to know request:
Further to FOI request 7423 please provide updated information for data breaches by category up to the end of March 2021.
- Number of reportable data breaches made to FCA individually or in conjunction with the ICO under DPA 2018 - calculated monthly and categorised by sector.
- For the period since May 2018 please also confirm the number of times FCA enforcement action (unilaterally or in conjunction with ICO) was taken in respect of data breaches reported to the FCA.
FCA response:
Before considering this request, it may be helpful to know that for this request, we define ‘data breach’ as ‘a confirmed incident in which the confidentiality of company or personal data is compromised or breached’. This does not mean that in every case personal/company data was exfiltrated/stolen.
Additionally, in relation to personal data, the Information Commissioners Office (the ICO) is the UK’s regulatory authority responsible for upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Data Protection Act 2018 (DPA 2018) and General Data Protection Regulation (GDPR) does not require firms to report personal data breaches or compromises to the FCA; however, firms should consider reporting material operational incidents to us pursuant the general notification requirements contained in SUP 15.R of the FCA’s Handbook. We are not required to report personal data breaches or compromises regarding firms to the ICO; this is the responsibility of the firms.
Question 1
There were 317 individual firm notifications made to the FCA during the period 1 June 2018 to 31 March 2020 that contained notifications of a data breach/compromise as defined above. Our full response of the requested breakdown is set out in the table below.
Question 2
We have not taken any enforcement action against firms for data breaches reported to us in the time period May 2018 to May 2021.
The table below is the breakdown of reported data beaches made by firms by month and sector during the period 1 June 2018 to 31 March 2020; this is based on the date of the notification made to the FCA, not the date of the incident took place. Sectors listed are as defined within the FCA’s 2019 sector views published on our website. The data is correct as of 04/06/21 and is subject to change.
|
Months & Sectors |
General Insurance & Protection |
Investment Management |
Pensions & Retirement Income |
Retail Banking |
Retail Investments |
Retail Lending |
Wholesale Financial Markets |
Total |
|---|---|---|---|---|---|---|---|---|
|
Jun-18 |
3 |
2 |
1 |
4 |
2 |
5 |
3 |
20 |
|
Jul-18 |
4 |
5 |
2 |
1 |
3 |
2 |
|
17 |
|
Aug-18 |
3 |
3 |
1 |
|
3 |
4 |
1 |
15 |
|
Sep-18 |
4 |
|
1 |
2 |
2 |
3 |
4 |
16 |
|
Oct-18 |
2 |
2 |
1 |
3 |
4 |
2 |
4 |
18 |
|
Nov-18 |
2 |
|
|
5 |
2 |
2 |
2 |
13 |
|
Dec-18 |
3 |
|
1 |
3 |
2 |
1 |
1 |
11 |
|
Jan-19 |
5 |
|
|
1 |
3 |
3 |
3 |
15 |
|
Feb-19 |
|
2 |
1 |
1 |
4 |
4 |
1 |
13 |
|
Mar-19 |
5 |
2 |
1 |
|
1 |
3 |
1 |
13 |
|
Apr-19 |
4 |
2 |
1 |
2 |
1 |
2 |
1 |
13 |
|
May-19 |
2 |
|
|
|
1 |
1 |
|
4 |
|
Jun-19 |
1 |
|
1 |
2 |
|
1 |
2 |
7 |
|
Jul-19 |
1 |
3 |
2 |
1 |
2 |
|
2 |
11 |
|
Aug-19 |
4 |
2 |
|
2 |
1 |
2 |
3 |
14 |
|
Sep-19 |
5 |
3 |
|
4 |
|
1 |
|
13 |
|
Oct-19 |
2 |
2 |
|
|
1 |
1 |
|
6 |
|
Nov-19 |
|
|
|
|
|
2 |
2 |
4 |
|
Dec-19 |
|
|
1 |
1 |
|
|
1 |
3 |
|
Jan-20 |
1 |
1 |
|
2 |
|
1 |
2 |
7 |
|
Feb-20 |
|
|
|
1 |
|
|
2 |
3 |
|
Mar-20 |
|
|
|
1 |
|
5 |
1 |
7 |
|
Apr-20 |
1 |
2 |
|
|
1 |
|
1 |
5 |
|
May-20 |
1 |
|
2 |
1 |
3 |
1 |
1 |
9 |
|
Jun-20 |
2 |
|
1 |
2 |
2 |
1 |
1 |
9 |
|
Jul-20 |
|
5 |
3 |
1 |
1 |
1 |
3 |
14 |
|
Aug-20 |
2 |
3 |
1 |
1 |
|
|
1 |
8 |
|
Sep-20 |
2 |
|
|
1 |
|
|
|
3 |
|
Oct-20 |
2 |
|
1 |
2 |
|
1 |
|
6 |
|
Nov-20 |
1 |
|
|
1 |
1 |
3 |
|
6 |
|
Dec-20 |
|
|
|
2 |
|
1 |
|
3 |
|
Jan-21 |
1 |
|
1 |
2 |
|
|
2 |
6 |
|
Feb-21 |
1 |
1 |
|
1 |
|
|
|
3 |
|
Mar-21 |
1 |
|
|
1 |
|
|
1 |
3 |
|
|
Total |
318 |
||||||