Outcomes - Selected Case Summaries
Categories
Regulator incorrectly discloses an entity application
Freedom of Information | 02 May 2023
A regulator was made aware of a breach involving two applications containing the personal information of 5 individuals being sent to an unintended entity via a filing submission system. The data included dates of birth, country of birth, name of the entity’s ultimate beneficial owner, directors, and AML service providers.
The regulator promptly contained the breach by contacting the unintended entity to confirm the document downloaded was deleted from the company’s system, and ensure no other information was accessed. The regulator also immediately adjusted and corrected the unintended entity's access profile in the filing submission system.
The regulator's response to the breach was appropriate. However, the notification of the affected individuals fell short of the statutory requirement, since it should also provide details on how the breach occurred and the actions taken to remedy the error. The regulator revised the notification following our recommendations, and the case was closed.