Cabinet Office fined £500,000 over New Year honours list data breach
Regulator says safety of hundreds of individuals was jeopardised after their addresses were posted online
The Cabinet Office has been fined £500,000 by the UK’s data watchdog after the postal addresses of the 2020 New Year honours recipients were disclosed online.
The Information Commissioner’s Office (ICO) found officials failed to put in place “appropriate technical and organisational measures” to prevent the unauthorised disclosure of personal information in breach of data protection law.
Prominent public figures who had their home addresses published on 27 December 2019 on the gov.uk website included Elton John, the cricketer Ben Stokes, NHS England’s then chief executive, Simon Stevens, the TV chef Nadiya Hussain and the former director of public prosecutions Alison Saunders. The inadvertently published list also included more than a dozen MoD employees and senior counter-terrorism officers.
In its finding, the ICO said the personal data of more than 1,000 people was available online for a period of two hours and 21 minutes and it was accessed 3,872 times. The ICO said in its ruling on Thursday that the Cabinet Office removed the web link to the file once it became aware of the error, but that it was still cached and therefore accessible online to people who had the exact webpage address.
At the time of the breach, the former work and pensions secretary Iain Duncan Smith, who was ennobled on the 2020 list and whose address was published, said it was a “complete disaster”.
“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety,” said the ICO’s director of investigations, Steve Eckersley.
“The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”
The ICO said it had received three complaints from affected individuals who raised personal safety concerns, while the Cabinet Office was also contacted by 27 individuals with similar concerns.
It said the exposure of honours recipients’ addresses was related to the Cabinet Office incorrectly installing a new IT system for processing honours. This meant that the system generated a CSV file – commonly used on spreadsheets – that included postal addresses. The ICO said the Cabinet Office had since improved the security of its systems.
The largest fine imposed by the ICO was a £20m punishment for British Airways following a hack of customer data in 2018. Marriott Hotels was fined £18.4m, also following a data breach.
A Cabinet Office spokesperson said: “The Cabinet Office would like to reiterate our apology for this incident … We take the findings of the Information Commissioner very seriously, and have completed an internal review as well as implemented a number of measures to ensure this does not happen again.”