The JFSC CYBER INCIDENT FAQs UPDATED March 11 2024

The timeline

• On January 23. 2024, a vulnerability was detected in the JFSC companies Registry system. the vulnerability was due to a misconfiguration in our third party-supplied Registry system, which had been implemented in January 2021.
• This 3-year vulnerability allowed access to non-public names and addresses. It did not link any individuals to registered entities or roles held.
• On Thursday March 7 the finance industry was informed and at midday, a public statement was made.
• https://www.jerseyfsc.org/media/7432/jersey-financial-services-commission-press-release-registry-system-20240307.pdf
• https://www.jerseyfsc.org/news-and-events/registry-system-statement/

• Following March 7^th, the JFSC has updated its FAQs pages updated on March 11 2024 and as follows
  • https://www.jerseyfsc.org/registry-system-public-statement/

FAQs - updated 11 March 2024

A) WHAT IS THE TECHNICAL ISSUE

1. What has happened? 

External access to the JFSC’s online registry is via a web application accessed on the JFSC website. When visitors make registry searches, the web application pulls data from the registry itself. As the registry contains publicly accessible data and restricted data, access controls are in place to limit what can be seen. However, an issue was identified meaning under certain circumstances, it was possible to access restricted data.   

On discovery of the issue, a fix was implemented within the hour, and a permanent remedy issued by the software provider was then deployed. This has been validated through testing by our independent cyber security partners.  

2. What exactly was the nature of the vulnerability? 

The web application pulls data from the registry via Application Programming Interfaces (APIs). APIs are commonly used as a channel to move data between different applications. When searches are made, the web application and API filter them to ensure access is only provided to publicly available data. When data is returned, the web address, contains a reference to the data record in the registry.   

Under certain circumstances, if this reference was changed, the API would not filter the request appropriately and this could return a different record containing restricted data.  

3. Has the JFSC been compromised? 

The JFSC’s corporate network was not compromised.  

4. What data was accessed? 

The information which was accessed was limited to names and addresses and did not link any individuals to a specific registered entity or any role held.   

5. Is it possible to identify someone’s role, or the entity they are connected to, from the information? 

No. Only names and addresses were accessed. No information relating to an associated role or entity was accessible. 

The information is held in a single database, and the API is not specific to the role held by an individual or entity. Accordingly it is not possible to identify or guess the role or entity from the data.   

B) MATTERS RELATING TO TIMING 

6. [UPDATED] Identification of the vulnerability 

Our Registry system was deployed in January 2021 and the issue was fixed on 23 January 2024, the day we became aware of the issue. For this period, the system allowed access to non-public names and addresses.  

External access to the JFSC’s online registry is via a web application accessed through our website. When visitors make registry searches, the web application pulls data from the Registry itself. As the Registry contains publicly accessible data and data which should not be publicly accessible, access controls are in place to limit what can be seen.  

However, an issue was identified meaning that under certain circumstances, the access controls did not work, and it was possible to access data which should not be publicly accessible. 

The software had been subject to penetration testing (where cyber security experts attempt to find and exploit vulnerabilities in computer systems to ensure they are safe), using two separate expert cyber security testing providers. The software is also subject to a monthly security scan. The system was also tested by the software provider themselves.  

Regretfully however, due to the nature of the misconfiguration, our programme of testing did not identify the vulnerability. 

We have asked an independent third-party provider, not involved in the design, implementation or management of our Registry system to carry out a root cause analysis of why the vulnerability had not been identified and resolved. 

7. [UPDATED] Timing of the public notification  

On becoming aware of the issue on 23 January 2024, a fix was implemented within the hour, and a permanent remedy issued by the software provider was then deployed. This has been validated through testing by our independent cyber security partners. 

We also conducted a forensic review to ensure we had an accurate picture of what had happened.  

We worked with our independent cyber security partners to ensure that the vulnerability in the software was not present in other API’s (application programming interface), which control access to Registry data. This has been confirmed by our independent cyber security partners.   

Our priority is our duty of care to those whose data we hold. Before making the public statement, we needed to ensure that the vulnerability was permanently fixed in our system, and also that the public statement would not cause harm. 

Finally, we needed to take steps to notify individuals in line with our legal obligations.  

Having completed this work, we issued a public statement on 7 March 2024 to communicate more broadly and provide further transparency.  

We have worked closely with the Jersey Office of the Information Commissioner (JOIC) throughout. 

8. [NEW] Why didn't my service provider contact me directly? 

The obligation to notify impacted parties sits with the JFSC, as the ‘data controller’. Under the Data Protection (Jersey Law 2018) this is solely our responsibility and cannot be undertaken by a third party, including the firms with which a client holds a direct relationship. 

C. MATTERS RELATING TO THE PEOPLE WHOSE DATA WAS ACCESSED 

9. If I am impacted, what do I need to do? 

The vulnerability has been closed and your name and address can no longer be accessed in this way. You don’t need to contact us unless you wish to do so. Whilst the information is limited to names and addresses only we understand you may still have concerns, and anyone with further queries can contact us via the dedicated email address query@jerseyfsc.org.  

10. Do I need to reset my password? 

No, as no access details have been compromised there is no need to change your username or password.   

11. How many records do you hold, and how many of these have been impacted? 

We hold approximately 1 million separate records in our registry system. In many instances, this includes individuals who are listed on multiple occasions due to the numerous roles they hold and different relationships with multiple service providers.  

Of these, 66,806 individuals have had their names and addresses accessed via the API in circumstances where this information was not already in the public domain through the registry system.  

Of the 66,806, we have directly written to the 2,477 people who we have assessed may be potentially impacted, in accordance with our obligations under the Data Protection (Jersey) Law 2018.  

12. Why have you written to 2,477? 

It is important to note that only names and addresses were accessed with no link to any specific registered entity, or any role held. We have written directly to those people who we have assessed fall into a higher risk category. We have also communicated more widely with a public statement and provided further information on our website.  

13. What was the content of the letter? 

Attached is a proforma of the notification letter - Notification Letter from the JFSC  https://www.jerseyfsc.org/media/7433/notification-letter-from-the-jfsc.pdf

14. [UPDATED] How did you determine who is impacted? 

In accordance with the Data Protection (Jersey) Law 2018, we have a legal obligation to communicate directly with those individuals where we have assessed, based upon risk, that this is appropriate.  

We undertook a risk assessment with reference to the framework proposed by the European Union Agency for Cyber Security (ENISA). The result of that risk assessment informed our decision to individually notify the 2,477 individuals.  

To further allay any concerns, we have also communicated more widely through a public statement and published answers to ‘frequently asked questions’ on our website. 

Should support be required, we have a dedicated team who can be contacted by telephone and email: 

• Email: query@jerseyfsc.org 
• Telephone: +44 (0)1534 822199 

Useful information can also be found online at: 

• Jersey Cyber Security Centre   https://jcsc.je/
• National Cyber Security Centre  https://www.ncsc.gov.uk/
• Jersey Office of the Information Commissioner  https://jerseyoic.org/
• Jersey Fraud Prevention Forum  https://www.fraudprevention.je/

15. I have not received a letter. How do I know if I have been impacted? 

We have written directly to certain people, in line with our legal obligations. However we recognise that individuals may still have concerns, and anyone with specific questions can contact their local service provider or contact us. Information is available on our website at jerseyfsc.org.  

If you have not received a letter and have any queries, you can contact us via the dedicated email address query@jerseyfsc.org.  

16. Will you be telling service providers if their clients have been impacted? 

We will continue to work with service providers, and they will be able to provide more information to their clients directly.  

17. [UPDATED] Who accessed the data, and do you know what has happened to the data? 

We do not think it is appropriate to speculate on such matters but working with our cyber security partners, we have found no evidence of the data being made available online, including on the dark web. Ongoing monitoring is in place. 

We have kept the Jersey Cyber Security Centre informed throughout.  

18. [NEW] I am a director, why is my name and address publicly available on your Registry?  

The names and addresses of all Directors listed on the Companies Register are public. This has been the case since 6 January 2021 and is in accordance with the Financial Services (Disclosure and Provision of Information) (Jersey) Law 2020. This is also a requirement of international standards (FATF Recommendation 24), which specifies that certain basic information about a company is to be publicly available (including member (shareholder) and director details).  

In addition to Directors, the names and address of the following are also publicly available: 

• Shareholders  
• General Partners  
• Partners of Limited Liability Partnerships (LLPs)  
• Members of a foundation’s council 
• Managers of Limited Liability Companies (LLCs) 

19. [NEW] Were your systems hacked? 

No, this was not a hack of our system or a ransomware attack. The vulnerability existed due to misconfiguration of the software in our Registry system. 

 D) ASSURANCE ABOUT OUR SYSTEMS 

20. [UPDATED] Are other JFSC systems secure? 

We immediately took action to resolve the issue.  

We recognise that it is never possible to eliminate all risk. However, we also understand that no data compromise is acceptable and continue to work hard to ensure controls are in place to protect the information we hold. 

All JFSC systems and networks are subject to comprehensive risk assessments, and periodic external testing to ensure the security of systems and data. Additionally, our systems are subject to 24/7 security monitoring by a specialist provider. 

We have asked an independent third-party provider, not involved in the design, implementation or management of the solution to carry out a root cause analysis of why the vulnerability had not been identified and resolved. 

21. [NEW] Has the Government of Jersey considered jurisdictional risk? 

The Government regularly assesses risks to the island, including those around cyber security.  

In response to this growing risk Government established the Jersey Cyber Security Centre [https://jcsc.je/]who represent and support the Island on cyber security issues.

We notified the Jersey Cyber Security Centre as soon as we became aware of the issue and have been working with them throughout our response.  

Jersey Cyber Security Centre can support queries relating to this incident from cyber defence bodies in other jurisdictions and work closely with UK NCSC.  

We will continue to work with the Jersey Cyber Security Centre, the Jersey Office of the Information Commissioner, Government of Jersey and the local financial services community, to consider any lessons that can be learned to reduce the future risk of similar incidents in Jersey. 

22. What further steps are you taking? 

We appreciate that you may want further information and we will be updating our website regularly. We will also be updating our regulated industry regularly to assist them in supporting clients who have been impacted.   

We are also commissioning a full review of how the issue arose. This will be delivered by an independent third-party provider.  

For enquiries, please email query@jerseyfsc.org or telephone on 01534 822199.  

We wish to thank all parties involved for their patience and support.   

E) OPERATIONAL RESPONSE 

23. [NEW] How are you managing your operational response? 

We have created a dedicated response team. Colleagues are fully trained, and we have additional resources on standby should the number of queries increase. We are committed to providing accurate and timely responses in a way which complies with our security protocols. 

24. [NEW] How can you stop impersonators contacting you about my information? 

Before we release any information, we conduct identification and verification checks to ensure we are talking to the correct person. In some cases, this may require the provision of documents for identification. This is a vital part of ensuring that we only provide information to the right people.  

25. [NEW] Can firms contact the JFSC on a clients’ behalf to see if they were affected? 

Yes, in addition to our dedicated team who can be contacted by email query@jerseyfsc.org or by telephone +44 (0)1534 822199, we have put in place a process whereby firms can contact us on behalf of a client. 

The ‘nominated person’ or Compliance Officer may contact us on behalf of a client if the client has specifically requested them to do so. We will conduct identification and verification checks with the representative of a firm before releasing any information. 

26. [NEW] What support is available to people who have concerns? 

We have written directly to those people we have assessed fall into a higher risk category. We have also communicated more widely with a public statement and provided further information on our website.