Cabinet Office slapped with £500k fine after New Year Honours list data leak
The Cabinet Office has been fined £500,000 by the data protection watchdog after it leaked the addresses of prominent Brits on the 2020 New Year Honours list.
Big names to have their home addresses published on the government website included Elton John, TV chef Nadiya Hussain and NHS England’s then chief executive, Simon Stevens.
A file was published on gov.uk which contained the names and unredacted addresses of more than 1,000 people in the honours list. It included senior counter-terrorism officers, as well as celebrities.
The Information Commissioner’s Office (ICO) said there was a failure to “put appropriate technical and organisational measures in place” to prevent the leaking of data on 27 December 2019.
The error occurred following the Cabinet Office’s introduction of a new IT system to process the public nominations, which was set up incorrectly.
The data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.
ICO received three complaints from affected individuals who raised personal safety concerns while the Cabinet Office was also contacted by 27 individuals with similar concerns.
Steve Eckersley, ICO’s director of investigations, said the department’s “complacency and failure” led to people being “potentially exposed to the risk of identity fraud and threats to their personal safety.”
He added: “When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.”
Dan Middleton, regional UK vice president at storage software company Veeam, called the data breach “particularly concerning” giving the high-profile names and occupations of those involved, including a number of Ministry of Defence employees.
He added: “It doesn’t matter if a data breach or service disruption is caused by a cyber-attack, or even the actions of an overworked employee making a mistake – these kinds of incidents can be a real breach of trust and the fines send a clear image that no one is above the ICO’s remit.”