On 24 June 2024 we were alerted to an issue which inadvertently occurred during registry system maintenance.
This resulted in information on the 2021 Transition and Annual Confirmation form, some of which was non-public information, becoming publicly accessible from 21 to 24 June, affecting 261 people.
As soon as we became aware of this issue, we acted immediately and remedied the situation on the same day. We are engaged with the Jersey Office of the Information Commissioner.
Trust and confidence in the security and confidentiality of our registry system is a critical priority.
We are sorry this issue occurred and have undertaken a thorough review to pinpoint the exact cause to ensure this does not happen again. We understand the importance of this situation and are committed to communicating in an open and transparent manner.
We have written to those individuals affected and notified the relevant Trust Company Businesses.
FAQs
1. What happened?
On 24 June 2024 we were alerted to an issue which inadvertently occurred during registry system maintenance.
This resulted in information on the 2021 Transition and Annual Confirmation form, some of which was non-public information, becoming publicly accessible from 21 to 24 June, affecting 261 people.
As soon as we became aware of this issue, we acted immediately and remedied the situation on the same day. We are engaging with the Jersey Office of the Information Commissioner.
We have written to those individuals affected and notified the relevant Trust Company Businesses.
2. What data was accessed?
Information on the 2021 Transition and Annual Confirmation form, some of which was non-public information, became temporarily accessible.
The types of information that were accessible depended on the role undertaken by any individual in respect of the company, and we have notified each individual appropriately.
3. Who accessed the data and what has happened to it?
It is common for registry users to download publicly available documents for bona fide business reasons.
A registry user downloading a form receives it electronically via an email provided. In all cases we hold these recipient email addresses. However, in line with our obligations with respect to the Data Protection (Jersey) Law 2018 we cannot disclose recipient details.
Our assessment of registry user activity over the period was normal and in line with expectations. We also know that in the majority of cases, the form was downloaded as part of a bundle of forms when the user chose ‘select all’. We are therefore concluding that the 2021 Transition and Annual Confirmation form was likely to have been inadvertently accessed as part of normal user activity during the limited period it was available to view.
We also know that the majority of forms were downloaded on only one occasion.
4. How did this happen?
As part of a minor maintenance update, a form that should not have been publicly available was categorised as ‘public’ in error. We have undertaken a thorough review to pinpoint the exact cause to ensure this does not happen again.
5. What support is available to people who have been impacted?
In accordance with the Data Protection (Jersey) Law 2018, we have a legal obligation to communicate directly with those individuals where we have assessed, based upon risk, that this is appropriate. We have written directly to those affected and the relevant Trust Company Businesses.
To further allay any concerns, we have also communicated more widely through a public statement and published answers to ‘frequently asked questions’ on our website.
Useful information can also be found online at:
Should further support be required, the JFSC has a dedicated team who can be contacted by telephone and email:
- Email: query@jerseyfsc.org
- Telephone: +44 (0)1534 822199
6. Have you notified the relevant Trust Company Businesses?
We have written to those individuals affected and notified the relevant Trust Company Businesses.
We understand the importance of this situation and are committed to communicating in an open and transparent manner.
7. Can you provide reassurance that JFSC’s systems are secure?
The issue has been resolved and we have protocols in place to manage maintenance and changes to our systems. We will take learnings from this incident to help ensure that errors do not occur in future.
We accept that no data breach is acceptable and continue to work hard to ensure controls are in place to protect the information we hold.
All JFSC systems and networks are subject to comprehensive risk assessments, and periodic external testing to ensure the security of systems and data. Additionally, JFSC systems are subject to 24/7 security monitoring by a specialist provider.
8. How did the JFSC determine who was impacted?
In accordance with the Data Protection (Jersey) Law 2018, the JFSC have a legal obligation to communicate directly with those individuals where we have assessed, based upon risk, that this is appropriate.
We undertook a risk assessment with reference to the framework proposed by the European Union Agency for Cyber Security (ENISA). The result of that risk assessment informed our decision to individually notify the 261 individuals.
To further allay any concerns, we have also communicated more widely through a public statement and published answers to ‘frequently asked questions’ on our website.
Should support be required, we have a dedicated team who can be contacted by telephone and email:
- Email: query@jerseyfsc.org
- Telephone: +44 (0)1534 822199
9. Is this connected to the system vulnerability reported earlier this year?
There is no connection. The JFSC instigated an independent investigation into a separate registry system vulnerability, detected 23 January 2024. The findings of the investigation are due late Summer 2024.
This most recent incident was caused by human error during routine systems maintenance where change control protocols were not applied correctly.
Media
- Members of the press should contact comms@jerseyfsc.org