ICO fines Cabinet Office £500,000 for ‘complacent’ data breach

The Information Commissioner’s Office has issued the Cabinet Office with a £500,000 fine after the postal addresses of 2020's New Year Honours recipients were disclosed online.

The ICO has issued the Cabinet Office with a fine for the data breach
The ICO has issued the Cabinet Office with a fine for the data breach

The ICO said that, on 27 December 2019, the Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list.

The list included celebrities such as Sir Elton John and the former Conservative Party leader, Iain Duncan Smith.

As a result, the ICO received three complaints from affected individuals who raised personal safety concerns and the Cabinet Office was contacted by 27 individuals.

Following an investigation the ICO found that the Cabinet Office failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people’s information – a breach of data protection law.

Action taken since breach

However, the ICO acknowledged that the Cabinet Office acted promptly when made aware of the data breach and it undertook a full incident review.

The ICO said the Cabinet Office had since instigated operational and technical measures to improve the security of its systems, and that an independent review focusing on data handling was completed in 2020.

Steve Eckersley, ICO director of investigations, said: “When data breaches happen, they have real-life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.”

'Complacency'

Eckersley continued: “The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.”

He added that the fine sent a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.

Fines

The ICO has the power to fine organisations up to £17.5m or up to four per cent of global turnover, and has previously issued British Airways with a £20m fine and Marriott an £18.4m fine. However, smaller fines ranging between £350,000 and £500,000 are also issued by the body.

A Cabinet Office spokesperson said: “The Cabinet Office would like to reiterate our apology for this incident. We took action to mitigate any potential harm by immediately informing the Information Commissioner and everyone affected by the breach.

“We take the findings of the Information Commissioner very seriously, and have completed an internal review as well as implemented a number of measures to ensure this does not happen again. This includes a review of the overall security of the system, information management training and improving internal processes for how data is handled by the honours team.”


Click here to subscribe to the FREE public sector bulletin to receive dedicated public sector news, features and comment straight to your inbox.

Make sure you register for the site to access more than one story per month.

To submit a news, comment, case study or analysis idea for the public sector bulletin, email Ian.Griggs@haymarket.com

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Register
Already registered?
Sign in