The Information Commissioner’s Office (ICO), the UK’s data watchdog, has fined the Government £500,000 after the addresses of over 1,000 New Years Honours recipients were mistakenly published online.
The data breach occurred at 10:30pm on Friday 27 December 2019, when the personal details of more 1,097 celebrities, government employees, politicians, and officials who had received honours had their home and work addresses posted on the official UK Government website.
Amongst those who had their addresses shared publicly in a spreadsheet were musician Elton John, singer Olivia Newton-John TV cook Nadiya Hussain, cricketers Ben Stokes and Clive Lloyd, MP Iain Duncan Smith, and film director Sam Mendes.
The offending list was removed in the early hours of Saturday 28 December 2019 after members of the public raised the alarm, and replaced with a version which did not contain the personal information.
At the time there were fears due to the fact that the addresses of police working in counter-terrorism, royal protection, and undercover operations had also been revealed.
It has now been announced that the ICO is fining the UK Government’s Cabinet Office £500,000 for the breach.
So, how did the breach happen?
According to the ICO’s investigation, a new IT system was introduced into the Cabinet Office in 2019 to process the public nominations for New Years Honours.
However, the IT system was set up incorrectly – which meant that it generated a CSV file that included sensitive postal address data.
Because of “tight timescales to get the New Years Honours list published,” a decision was made to amend the file instead of fixing the IT system. However, every time a new version of the file was generated the postal addresses of those receiving hours was automatically included.
What’s the saying? Oh yes. Act in haste, repent at leisure. A little more time and care could have avoided this whole sorry mess.
The ICO’s investigation found that the personal data was available online for a period of two hours and 21 minutes and was accessed on 3,872 occasions.
Although the Cabinet Office removed the link to the file after discovering it had shared people’s personal information, the file was still cached and accessible to anyone who knew the exact URL.
Steve Eckersley, ICO Director of Investigations, said:
“When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.”
“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.”
A spokesperson for the Cabinet Office apologised for the breach, and said that an internal review had been completed and a number of measures put in place to ensure such an incident does not happen again.