Cabinet Office cuffed for New Year Honours data gaffe

Whitehall_London 2The Cabinet Office has been accused of being complacent over its data handling procedures after being hit with a £500,000 fine for major cock-up which led to the postal addresses of the entire 2020 New Year Honours list being leaked online.

According to an Information Commissioner’s Office investigation, the issue dated back to early 2019, when the Honours and Appointments Secretariat (HAS) in the Cabinet Office introduced a new IT system to process the public nominations for the New Year Honours.

However, it transpired that the IT system was set up incorrectly, resulting in it generating a CSV file that included postal address data.

Due to tight timescales to get the New Year Honours list published, the HAS operations team decided to amend the file instead of modifying the IT system. However, each time a new file version was generated, the postal address data was automatically included in the file.

The Cabinet Office confirmed that there was no specific or written process in place in HAS at the time to sign off documents and content containing personal data prior to being sent for publication.

So, on December 27 2019 when the Cabinet Office published a file on GOV.UK that announced the New Year Honours list, more than 1,000 people from a wide range of professions across the UK were affected, including Elton John, Nadiya Hussain, Ainsley Harriot, Gabby Logan.

After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address.

The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.

The ICO found that the Cabinet Office failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people’s information, in a breach of data protection law.

Due to the data being published in the public domain, the ICO received three complaints from affected individuals who raised personal safety concerns resulting from the breach. The Cabinet Office was also contacted by 27 individuals with similar concerns.

The ICO acknowledges that the Cabinet Office acted promptly when made aware of the data breach and it undertook a full incident review. The Cabinet Office has since instigated a number of operational and technical measures to improve the security of its systems, and an independent review focusing on data handling was completed in 2020.

ICO director of investigations Steve Eckersley said: “When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.

“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.

“The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”

Related stories
Email gaffe leaks thousands of tenants’ sensitive data
Child sex abuse inquiry fined £200,000 for data misuse
Glos cops cuffed over leak of sensitive child abuse data
Banged to rights: CPS guilty of losing child abuse data
You’re nicked: Humberside cops hit by £130k data fine
Bungling Crown Prosecution Service gets £200k fine