Shortly before 10 pm on Tuesday evening Appleby, which has offices on the Esplanade, released a statement admitting it was the subject of a ‘data security incident’ in 2016 and some of the data it holds was ‘compromised’.
The statement was published after the legal and financial services firm was contacted with inquiries by the International Consortium of Investigative Journalists – the body which led the investigation into the huge Panama Papers data leak last year – and other media organisations.
‘These inquiries have arisen from documents that journalists claim to have seen and involve allegations made against our business and the business conducted by some of our clients,’ the statement says.
‘We take any allegation of wrongdoing, implicit or otherwise, extremely seriously. Appleby operates in highly regulated jurisdictions and like all professional organisations in our regions, we are subject to frequent regulatory checks and we are committed to achieving the high standards set by our regulators.
‘We are also committed to the highest standards of client service and confidentiality. It is what we stand for. This commitment is unequivocal.’
The statement adds: ‘We are committed to protecting our clients’ data and we have reviewed our cyber security and data-access arrangements following a data-security incident last year, which involved some of our data being compromised. These arrangements were reviewed and tested by a leading IT forensics team and we are confident that our data integrity is secure.
‘We are disappointed that the media may choose to use information which could have emanated from material obtained illegally and that this may result in exposing innocent parties to data-protection breaches. Having researched the ICIJ’s allegations we believe they are unfounded and based on a lack of understanding of the legitimate and lawful structures used in the offshore sector.’
It is not known at this stage what the ICIJ’s accusations were.
Paul Vane, the Channel Islands’ deputy information commissioner, said there are currently no laws in place in Jersey requiring firms to disclose if they have been the victim of a data breach.
He added, however, that this will change when the EU General Data Protection Regulations are introduced on 25 May 2018, meaning firms will have a duty to report any breaches to the Information Commissioner’s Officer within 72 hours.
Firms could also be fined up to 20 million euros, or four per cent of their annual turnover, if their IT security is breached, according to Ricky Magalhaes, head of cybersecurity at Logicalis.
Commenting on the Appleby breach, Mr Vane said: ‘I am personally aware that a data breach has occurred. We have not had any complaints that have been lodged in relation to that.
‘I am not sure of the extent as to what personal data has been compromised. Usually for anyone affected by a breach their first port of call would be us.’
The Panama Papers was believed to be the biggest data leak in history, with 11.5 million documents released from the files of offshore law firm Mossack Fonseca, which until recently had offices in Jersey.
The leak revealed how billions of pounds were stashed in offshore jurisdictions by super-rich clients to avoid paying tax.