Cabinet Office fined £500,000 for New Year Honours data breach

The ICO found that the Cabinet Office had “failed to put appropriate technical and organisational measures in place” to prevent the unauthorised disclosure of people’s information. This is a breach of data protection law.

On 27 December 2019, the Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. Individuals from a wide range of professions across the UK were affected, including individuals with a high public profile.

After becoming aware of the data breach, the Cabinet Office removed the web link to the file. However, the file was still cached and accessible online to those people who had the exact web page address.

In fact, the personal data was available online for a period of two hours and 21 minutes and was accessed on 3,872 occasions.

Due to the data being published in the public domain, the ICO received three complaints from affected individuals who raised personal safety concerns resulting from the breach. The Cabinet Office was also contacted by 27 individuals with similar concerns.

Real life consequences

Steve Eckersley, the ICO’s director of investigations, commented: “When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.”

Eckersley continued: “The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.”

In conclusion, Eckersley urged: “The fine issued in this case sends a very clear message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place to do so, must be at the very top of their agenda.”

Details of the breach

The Honours and Appointments Secretariat (HAS) in the Cabinet Office introduced a new IT system in 2019 to process the public nominations for the New Year Honours. The IT system was set up incorrectly by the Cabinet Office, which meant that the system generated a CSV file including postal address data.

Due to tight timescales to have the New Year Honours list published, the HAS operations team decided to amend the file instead of modifying the IT system. However, each time a new file version was generated, the postal address data was automatically included within the file.

The Cabinet Office confirmed that there was no specific or written process in place in HAS at the time to sign off on documents and content containing personal data prior to it being sent for publication.

The ICO acknowledges that the Cabinet Office acted promptly when made aware of the data breach and that it undertook a full incident review.

The Cabinet Office has since instigated a number of operational and technical measures designed to improve the security of its systems, while an independent review focusing on data handling was completed in 2020.