The Information Commissioner’s Office has fined the Cabinet Office £500,000 for failing to prevent the leak of postal addresses of over 1,000 people who were among the 2020 New Year Honours recipients.
The leak occurred in December 2019 when the Cabinet Office published the names of recipients of the 2020 New Year Honours but failed to redact their postal addresses. It took over two hours for the office to realize its error and remove the web link, but it was too late by then.
When announcing the fine imposed on the Cabinet Office, the ICO said the file containing unredacted addresses of more than 1,000 people announced in the New Year Honours list was still cached and accessible online to people who had the exact webpage address. Prior to its removal, the weblink was also seen at least 3,872 times.
“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety,” said Steve Eckersley, Director of Investigations, ICO.
“The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”
The Cabinet Office’s decision to publish the names of 2020 New Year Honours recipients was initiated by the Honours and Appointments Secretariat (HAS) for the first time in 2019. The new IT system, that was introduced for this purpose, contained a glitch which ensured that it generated a CSV file (containing postal addresses) each time a new file version was generated.
The HAS operations team tried to find a work around this problem by deciding to amend the file instead of modifying the IT system. This was also done to save precious time as there was a pressing need to publish the list on time. As it turned out, the effort wasn’t enough to prevent the leak of postal addresses of over 1,000 New Year Honours recipients.
According to BBC, the honours list included well-known celebrities and persons of eminence such as Sir Elton John, Ben Stokes (who was also named the BBC Sports Personality of the Year 2019), former director of public prosecutions Alison Saunders, and former Conservative Party leader Iain Duncan Smith.
The list of 1,097 people also included former gymnast and BBC Sport presenter Gabby Logan, chief executive of Ofcom Dame Sharon Michele White DBE, Diana Johnson MP, celebrity chef and TV presenter Ainsley Harriott, celebrity chef Nadiya Hussain, and actor Olivia Newton-John.
After the breach was discovered and fixed, the Cabinet Office said in a brief statement that the incident was reported to the Information Commissioner’s Office.
“A version of the New Year Honours 2020 list was published in error which contained recipients’ addresses. The information was removed as soon as possible. We apologise to all those affected and are looking into how this happened. We have reported the matter to the ICO and are contacting all those affected directly,” said a Cabinet Office spokesperson.
“In response to reports of a data breach involving the Cabinet Office and the NY Honours list, the ICO will be making enquiries,” said the ICO.