Security breach & data leak in FCA regulated company - how to proceed?

[Deleted User]

Hi all,

This may not be the correct subforum for this topic, but I did not find any better, sorry.

Recently I've been called by scammers who knew very detailed information about me and my personal account I hold in financial institution regulated by FCA (futures & foreign exchange broker). I knew something is not right, scammers got nothing from me, but I called the company. They confirmed they just have been hacked, they had a security breach and customer data may have leaked.

I contacted other customers who use their service, and they too confirmed that they had suspicious calls. It means, data has been sold and is in active use.

Since the hack, over a week ago, the company has confirmed (in e-mail) that they had a breach, but they don't want to tell me what data has leaked. They (most likely) still have my identification photos I used to verify my account, not to mention full personal details including address, e-mail, telephone and so on. I want to make sure the company reports this properly to the authorities and issues the customers with public announcement. At this point, what can I do?

Make a complaint?

Report them to FCA?

Report them to ICO?

I take active approach only because company is dodging my questions and still did not make any public announcement. GDPR breaches are taken very seriously, and I don't want the company to sweep everything under the rug, I remember TalkTalk has leaked customer personal data years ago, and they had to buy paid subscription for credit score reporting service for every customer, so they could watch it closely to make sure no one is taking fraudulent loans on behalf of customers and so on.

Any comments appreciated, thanks.

MorningcoffeeIV

You don't need to do anything.

They'll already have reported to the ICO themselves, so all is good and there's no rug sweeping.

They're not required to make any public announcement. Only to contact individual customers where there is an serious impact.

[Deleted User]

MorningcoffeeIV said:

You don't need to do anything.

They'll already have reported to the ICO themselves, so all is good and there's no rug sweeping.

They're not required to make any public announcement. Only to contact individual customers where there is an serious impact.

Thanks, but how do I know they reported it to ICO? How can I know which of my personal data has leaked?

DullGreyGuy

There are very blurred lines for regulated industries that are also within scope of the ICO and another regulator.

If we are honest, most of those that are subject to a data breach are more interested in personal compensation than corporate fines. As such it tends to be better to pursue the FCA/industry regulator than the ICO. The later is more likely to apply penalties but those aren't paid to complainants 

Farfetch1

[Deleted User] said:

MorningcoffeeIV said:

You don't need to do anything.

They'll already have reported to the ICO themselves, so all is good and there's no rug sweeping.

They're not required to make any public announcement. Only to contact individual customers where there is an serious impact.

Thanks, but how do I know they reported it to ICO? How can I know which of my personal data has leaked?

You don't and I don't know where they're getting that from.

Report it to the FCA and ICO.  Almost certainly they've self-reported but it won't hurt

You might also want to subscribe to CIFAS's Protective Registration https://www.cifas.org.uk/pr