Thursday 02 Dec 2021 @ 14:38
Information Commissioner's Office
Printable version

Cabinet Office fined £500,000 for New Year Honours data breach

The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online.

The ICO found that the Cabinet Office failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people’s information. This is a breach of data protection law.

On 27 December 2019 the Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. People from a wide range of professions across the UK were affected, including individuals with a high public profile.

After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address.

The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.

Due to the data being published in the public domain, the ICO received three complaints from affected individuals who raised personal safety concerns resulting from the breach. The Cabinet Office was also contacted by 27 individuals with similar concerns.

Steve Eckersley, ICO Director of Investigations, said:

“When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.

“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.

“The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”

Details of the breach

The Honours and Appointments Secretariat (HAS) in the Cabinet Office introduced a new IT system in 2019 to process the public nominations for the New Year Honours.

The IT system was set up incorrectly by the Cabinet Office, which meant that the system generated a CSV file that included postal address data.

Due to tight timescales to get the New Year Honours list published, the HAS operations team decided to amend the file instead of modifying the IT system. However, each time a new file version was generated, the postal address data was automatically included in the file.

The Cabinet Office confirmed that there was no specific or written process in place in HAS at the time to sign off documents and content containing personal data prior to being sent for publication.

The ICO acknowledges that the Cabinet Office acted promptly when made aware of the data breach and it undertook a full incident review. The Cabinet Office has since instigated a number of operational and technical measures to improve the security of its systems, and an independent review focusing on data handling was completed in 2020.

Notes to Editors

  1. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
  4. This penalty was issued under the DPA2018 for infringements of the GDPR.
  5. Any monetary penalty is paid into the Consolidated Fund, which is the Government’s general bank account at the Bank of England, and is not kept by the ICO.
  6. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.

 

Channel website: https://ico.org.uk/

Original article link: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/12/cabinet-office-fined-500-000-for-new-year-honours-data-breach/

Share this article

Latest News from
Information Commissioner's Office

Housing association reprimanded for exposing personal information on online portal

19/04/2024 14:10:00

We have issued a reprimand to Clyde Valley Housing Association in Lanarkshire after personal information was accessible to other residents on an online customer portal. 

ICO publishes guidance to improve transparency in health and social care

16/04/2024 09:10:00

The Information Commissioner’s Office (ICO) is supporting health and social care organisations to ensure they are being transparent with people about how their personal information is being used.

Information Commissioner’s Office seeks views on accuracy of generative AI models

12/04/2024 12:25:00

The Information Commissioner’s Office (ICO) has launched the latest instalment in its consultation series examining how data protection law applies to the development and use of generative AI.

ICO joins global data protection and privacy enforcement programme

04/04/2024 15:20:00

The Information Commissioner’s Office (ICO) has signed onto a new international multilateral agreement with the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE) to cooperate in cross-border data protection and privacy enforcement.

ICO sets out priorities to protect children's privacy online

04/04/2024 09:10:00

The Information Commissioner’s Office (ICO) is calling on social media and video-sharing platforms to improve their data protection practices so children are safer when using their services. 

ICO publishes new fining guidance

19/03/2024 09:10:00

The Information Commissioner’s Office has published new data protection fining guidance setting out how it decides to issue penalties and calculate fines.

ICO reprimands Dover Harbour Board and Kent Police over information sharing

18/03/2024 10:20:00

The Information Commissioner’s Office (ICO) has issued reprimands to Dover Harbour Board and Kent Police after they breached data protection law.

ICO reprimands London Mayor's Office for Policing and Crime for complaint web form error

15/03/2024 14:10:00

The London Mayor’s Office was yesterday reprimanded by the Information Commissioner’s Office (ICO) for a web glitch that potentially revealed the personal information of people who were complaining about the Metropolitan Police Service.

ICO fines Wigan-based Pinnacle Life £80,000 for “predatory” spam call campaign

07/03/2024 12:25:00

Wigan-based company Pinnacle Life has been fined £80,000 by the Information Commissioner’s Office (ICO) for a year-long unlawful spam phone call campaign.