The Cabinet Office data breach was the result of human error. It involved the publication of the 2020 New Years Honours list on the Cabinet Office website. This included the personal details, and home addresses, of over 1,000 high profile people, including well-known celebrities and politicians.
The Cabinet Office data breach was the result of a newly installed IT system which was incorrectly set up. This resulted in a CSV file, containing the full unredacted information of all 1,097 honourees, being made available online.
The file remained online for 2 hours and 21 minutes, after which it was believed to have been removed by Home Office staff. However, the data remained accessible for an extended period of time, for those with the exact web address of the file, and is believed to have been accessed 3,872 times.
The Cabinet Office data breach occurred in December 2019, when the Cabinet Office mistakenly published the personal details of the 2020 New Year’s Honours list on its website.
Commenting on the Cabinet Office data breach, a spokesperson said: “The information was removed as soon as possible. We apologise to all those affected and are looking into how this happened. We have reported the matter to the ICO and are contacting all those affected directly”.
The Information Commissioner’s Office (ICO) later determined that the Cabinet Office broke the law by not “put[ting] appropriate technical and organisational measures in place to prevent the unauthorized disclosure of people’s information”.
The Cabinet Office data breach affected everyone set to receive Honours in 2020 including Elton John, Nadiya Hussain, Ainsley Harriott, Olivia Newton-John, and former Conservative Party Leader Iain Duncan Smith to name a few.
Following the data breach, the Information Commissioner’s Office (ICO) received 3 formal complaints regarding the breach, with a further 27 people contacting the Cabinet Office with concerns over their health and safety.
The Cabinet Office data breach occurred when the newly and incorrectly implemented IT system created an unredacted copy of the honours list – complete with address details – which could be accessed without authorisation or specialist knowledge.
The Cabinet Office became aware of the issue and had removed the list some 2 hours and 21 minutes after the fact. However, the issue was worsened when the Honours and Appointments Secretariat (HAS) operations team changed the data file rather than the IT system. This was done to save time but resulted in the data remaining online for an extended period.
The information subsequently remained online for those with the direct link and was reportedly accessed at least 3,872 times.
In December 2021, almost two years after the data breach and on conclusion of its investigation, the Information Commissioner’s Office (ICO) fined the Cabinet Office £500,000.
On top of the £500,000 fine, and in response to the GDPR data breach, the Cabinet Office have since amended their systems and policies to reduce the risk in future.
Commenting on the repercussions for those affected by the data breach, Mark Montaldo, a director and data breach solicitor at CEL Solicitors, said: “The high-profile status of those affected adds to the seriousness of this data breach. There is huge public interest in the lives of celebrities and politicians, which is apparent by the number of times this information was reportedly accessed. In the wrong hands, the publication of addresses could present a serious security risk to those affected.
“Organisations, that hold sensitive data, must therefore ensure that their processes are watertight. Whilst inconvenient, phone numbers, email addresses and financial information, can be changed. A home address, however, is not so simple. This fine should therefore serve as a warning to all data holders to prioritise data protection as lapses such as this can be incredibly costly.”
This is not the first significant fine received by an organisation that has failed to protect the data it holds. Similar penalties in recent years have seen British Airways and the Marriott hotel chain suffer £20m and £18.4m fines for breach of GDPR, respectively.
In related news, a recent Labour Party data breach potentially saw the personal information of around 400,000 individuals compromised in a cyber-attack. Additional data breach examples include the Hospital Metalcraft data breach and The Riverside Group data breach – both of which involved the unauthorised replication of personal information from a company server.