Cabinet Office fined £500,000 for New Years Honours data breach

The ICO has fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online.

One principle of the UK GDRP is that organisations must put appropriate technical and organisational measure in place, to prevent unauthorised disclose of people’s information, and the ICO has ruled that the Cabinet Office failed to so that in this case.

In December 2019 the Cabinet Office published a file on the website containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list.

The list was available only for a little over 2 hours before someone realised, and it was removed. However, in that time it was access almost 4,000 times.

Steve Eckersley, ICO Director of Investigations, said:

“When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.

“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.

“The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”

I hope that you have the appropriate policies, procedures, training, systems and ongoing review in place to prevent this in your organisation? A Data Protection Review is the ideal way to give you the comfort that you can demonstrate compliance, so contact us to find out how you can join so many other organisations in benefiting from this straightforward review.