The Information Commissioner's Office (ICO) has fined the Cabinet Office £500,000 for a 2020 data leak that exposed the full names and addresses of the New Year Honours recipients on its gov.uk web page.
More than 1,000 people were affected by the leak, with some complaining that they felt concerned for their personal safety. Notable inclusions in the list were Sir Elton John, Dame Olivia Newton-John, and Sir Iain Duncan Smith.
The ICO concluded the Cabinet Office had breached the Data Protection Act 2018 as a result, and was punished according to the rules set out by the General Data Protection Regulation (GDPR).
It was also found that the Cabinet Office failed to implement the appropriate technical and organisational measures in its IT systems to protect the data of those affected.
"When data breaches happen, they have real life consequences," said Steve Eckersley, ICO Director of Investigations. "In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.
"The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety," he added.
“The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda."
The IT system in question was implemented in 2019 but was misconfigured, according to the ICO. It generated a .CSV file for the New Year Honours list, which included full names and corresponding home addresses, before posting it online.
RELATED RESOURCE
The team responsible for generating and publishing the list were under tight deadlines, the ICO reported, and instead of fixing the system, it attempted to amend the file instead. However, each time a new file was generated, the .CSV file included full addresses.
Despite removing the file shortly after posted it online, a cached version remained accessible to the public. The ICO reported the file was accessed 3,872 times in the period of two hours and 21 minutes that it was online.
The Cabinet Office confirmed that there were no specific or written processes in place at the time to sign off documents and content containing personal data prior to being sent for publication.
The ICO acknowledged the swiftness of the Cabinet Office's response and undertook a full incident review, which has led to operational and technical improvements, and an independent review launched into the incident.
"The Cabinet Office would like to reiterate our apology for this incident," it said in a statement to IT Pro. "We took action to mitigate any potential harm by immediately informing the Information Commissioner and everyone affected by the breach.
"We take the findings of the Information Commissioner very seriously, and have completed an internal review as well as implemented a number of measures to ensure this does not happen again. This includes a review of the overall security of the system, information management training and improving internal processes for how data is handled by the honours team.”
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
