Staff members at the UK’s Financial Conduct Authority (FCA) received disciplinary warnings after transmitting official data to their personal email accounts.

According to a Freedom of Information (FoI) request reported by The Register, three employees were issued first written warnings, while a fourth, already under disciplinary review, received a final written warning for breaching internal policy.

Unspecified Regulator Data

The incidents occurred during the 2022/23 financial year and involved unspecified regulator data. The FCA, which regulates financial services and holds vast volumes of sensitive information, including details of data breaches and consumer complaints, did not disclose the nature or volume of the data involved.

One case related to a possible fifth breach was noted but withheld under Section 40 of the FoI Act, which protects individuals’ identities in sensitive disclosures.

No similar policy breaches were recorded in the subsequent financial years, 2023/24 or 2024/25. The FCA, which employs more than 5,000 people, reiterated that such actions are violations of its acceptable use policy.

Systems and Controls

An FCA spokesperson said: “We take any breaches of our email security policies seriously and have systems and controls in place to manage breaches of email security. Breaches can and do result in an investigation and can lead to disciplinary sanctions."

However, the authority did not respond to questions about the specific nature of the data involved in these four cases.

Dr. Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS), said: “While such misconduct is certainly unacceptable, unfortunately many governmental entities on both sides of Atlantic face similar or even more dangerous incidents on a daily basis. Human factor and error are still among the key reasons of the disastrous data breaches, which happen because of someone’s negligence or carelessness.

“The misconduct of governmental employees’ is also caused by the increasing pressure from their employers in the terms of volume of work and tough deadlines, eventually pushing employees to take some work to their homes in overt breach of information security policies.

“Training and education are essential to prevent similar incidents in the future, while management should continually monitor that the team is not forced to work from home in order to meet the KPIs or deadlines.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.