The Financial Conduct Authority (FCA) has admitted that it revealed confidential consumer information on its website in a data breach last year.
The City watchdog published details of roughly 1,600 people who filed complaints about it between January 2018 and July 2019.
Read more: Brazil fines Facebook over data breach
In some instances the information included names, addresses and telephone numbers. The FCA said no financial or passport details were exposed.
The error came when the FCA published its response to a Freedom of Information Act request. Among the complaints made about the watchdog were its lack of communication and level of fees.
The FCA today said it has referred itself to the Information Commissioner’s Office (ICO), which oversees data use.
“We have undertaken a full review to identify the extent of any information that may have been accessible,” it said in a statement.
“Our primary concern is to ensure the protection and safeguarding of individuals who may be identifiable from the data.”
The FCA added that it has taken action to ensure the error does not happen again, and said it was making contact with those affected to “apologise and to advise them of the extent of the data disclosed and what the next steps might be”.
The breach will come as an embarrassment to the watchdog, which handed down a £16.4m fine to Tesco Bank in 2018 over its handling of a cyber attack.
The regulator is also investigating the Bank of England over a security breach that allowed hedge funds to eavesdrop on press conferences.
In a joint statement with the ICO earlier this month, the FCA warned insolvency practitioners and authorised firms to be responsible when dealing with personal data.
Rachel Aldighieri, managing director of the Data & Marketing Association said was “alarming” that the FCA had allowed an error to cause a data breach.
“It is a serious concern that this has taken since November for this information to be disclosed publicly,” she added.
The ICO today confirmed it was aware of the incident and said it would assess the information provided. Under EU GDPR rules the ICO can issue a maximum fine of £17m or four per cent of global turnover — whichever is highest.