United Kingdom Cabinet Office Fined £500k For Leaking Data

The UK’s Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for a 2020 data leak that exposed the full names and addresses of the New Year Honours recipients on its gov.uk web page. The Cabinet Office a department of the British government directly responsible for supporting Prime Minister Boris Johnson. Over a 1,000 people were affected by the leak, with some complaining that they felt concerned for their personal safety.

The ICO said the Cabinet Office had broken the Data Protection Act 2018 and was being charged according to the General Data Protection Regulations.

They included the addresses of includiing Sir Elton John, cricketer Ben Stokes, senior Tory Sir Iain Duncan Smith, TV chefs Nadiya Hussain and Ainsley Harriot, broadcaster Gabby Logan, Grease actress Olivia Newton-John and former director of public prosecutions Alison Saunders.

ICO found that the Cabinet Office had failed to put adequate measures in place to avoid such data breaches.
On 27 December 2019 the Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. People from a wide range of professions across the UK were affected, including individuals with a high public profile.

After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address. The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.

The ICO also found that the Cabinet Office failed to implement the appropriate technical and organisational measures in its IT systems to protect the data of those affected.

The team responsible for generating and publishing the list were under tight deadlines, the ICO reported, and instead of fixing the system, it attempted to amend the file instead. However, each time a new file was generated, the .CSV file included full addresses.

Despite removing the file shortly after posted it online, a cached version remained accessible to the public. The ICO reported the file was accessed 3,872 times in the period of two hours and 21 minutes that it was online.

The Cabinet Office confirmed that there were no specific or written processes in place at the time to sign off documents and content containing personal data prior to being sent for publication. The Cabinet Office said it wanted to “reiterate” a previous apology it made over the incident. A Cabinet Office spokesperson said: “The Cabinet Office would like to reiterate our apology for this incident … We take the findings of the Information Commissioner very seriously, and have completed an internal review as well as implemented a number of measures to ensure this does not happen again.”