Cabinet Office fined £500,000 by ICO over New Year Honours data breach

Cabinet Office issued £500,000 fine by ICO over New Year Honours data breach

Image:
Cabinet Office issued £500,000 fine by ICO over New Year Honours data breach

Sir Elton John and cricketer Ben Stokes are among individuals affected by the breach

The UK Information Commissioner's Office (ICO) has issued the Cabinet Office with a £500,000 fine over a data breach that disclosed the personal details of more than 1,000 people listed for 2020's New Year Honours.

The ICO said its investigation into the breach revealed that the Cabinet Office had failed to put proper technical and organisational measures in place to prevent disclosure of personal information in breach of UK's data protection law.

On 27 December 2019, the Cabinet Office published a file on the gov[.]uk website which contained the names and addresses of more than 1,000 people announced in the New Year Honours list.

The list included details of prominent public figures such as Sir Elton John, the TV chef Nadiya Hussain, cricketer Ben Stokes, the former Conservative Party leader Iain Duncan Smith, NHS England's then-CEO Simon Stevens, and public prosecutions ex-director Alison Saunders.

It also included details on more than a dozen Ministry of Defence employees and counter-terrorism officials.

After becoming aware of the error, the Cabinet Office removed the weblink to the file, but it was still cached and therefore accessible to people who knew the exact webpage address.

According to the ICO, the personal data of people was accessed 3,872 times during the two hours and 21 minutes period in which the list was available online.

In its finding, the regulator said that the security lapse was related to the Cabinet Office incorrectly setting up a new IT system for processing honours. It caused the system to generate a CSV file that included postal addresses of people.

The Cabinet Office has since improved the security of its IT systems, according to the ICO.

The regulator said it received three complaints from affected individuals, while the Cabinet Office was also contacted by 27 individuals who raised safety concerns resulting from the breach.

"The Cabinet Office's complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety," said ICO investigations director Steve Eckersley.

He added that the financial penalty issued by the ICO would send a message to other organisations that looking after people's data safely must be at the top of their agenda.

A Cabinet Office spokesperson said they take the findings of the ICO very seriously, and have taken a number of steps to ensure such an incident is not repeated.

In June, information obtained through a Freedom of Information (FOI) request showed the Cabinet Office had spent more than £300,000 on cyber training courses for its staff over the previous two years.

The Parliament Street think tank said its FOI request revealed that the Office spent £274,142 on training courses covering ethical hacking, digital forensics and cyber security in the 2020-21 financial year. That was up 483 per cent from the £47,018 spent on cyber training in the previous financial year.