Cabinet Office fined £500,000 over New Year honours list data breach

Regulator says safety of hundreds of individuals was jeopardised after their addresses were posted online

The Cabinet Office has been fined £500,000 by the UK’s data watchdog after the postal addresses of the 2020 New Year honours recipients were disclosed online.

The Information Commissioner’s Office (ICO) found officials failed to put in place “appropriate technical and organisational measures” to prevent the unauthorised disclosure of personal information in breach of data protection law.

Prominent public figures who had their home addresses published on 27 December 2019 on the website included Elton John, the cricketer Ben Stokes, NHS England’s then chief executive, Simon Stevens, the TV chef Nadiya Hussain and the former director of public prosecutions Alison Saunders. The inadvertently published list also included more than a dozen MoD employees and senior counter-terrorism officers.

In its finding, the ICO said the personal data of more than 1,000 people was available online for a period of two hours and 21 minutes and it was accessed 3,872 times. The ICO said in its ruling on Thursday that the Cabinet Office removed the web link to the file once it became aware of the error, but that it was still cached and therefore accessible online to people who had the exact webpage address.

At the time of the breach, the former work and pensions secretary Iain Duncan Smith, who was ennobled on the 2020 list and whose address was published, said it was a “complete disaster”.

“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety,” said the ICO’s director of investigations, Steve Eckersley.

“The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”

The ICO said it had received three complaints from affected individuals who raised personal safety concerns, while the Cabinet Office was also contacted by 27 individuals with similar concerns.

It said the exposure of honours recipients’ addresses was related to the Cabinet Office incorrectly installing a new IT system for processing honours. This meant that the system generated a CSV file – commonly used on spreadsheets – that included postal addresses. The ICO said the Cabinet Office had since improved the security of its systems.

The largest fine imposed by the ICO was a £20m punishment for British Airways following a hack of customer data in 2018. Marriott Hotels was fined £18.4m, also following a data breach.

A Cabinet Office spokesperson said: “The Cabinet Office would like to reiterate our apology for this incident … We take the findings of the Information Commissioner very seriously, and have completed an internal review as well as implemented a number of measures to ensure this does not happen again.”


Dan Milmo Technology editor

The GuardianTramp

Related Content

Article image
Iain Duncan Smith among three MPs in new year honours list
Former Tory vice-chairman Bob Neill and Labour’s Diana Johnson also receive honours

Peter Walker Political correspondent

27, Dec, 2019 @10:30 PM

Article image
Elton John wins highest accolade in new year honours list
Musician recognised alongside stars of sport, politicians and hundreds of ordinary people

Sandra Laville and Peter Walker

27, Dec, 2019 @10:30 PM

Article image
UK business bosses canvassed for new year honours nominations
BEIS seemingly breached GDPR rules in trying to gather suggestions for 2022 list

Rob Davies

10, Mar, 2021 @8:27 PM

Article image
Uber fined £385,000 for data breach affecting millions of passengers
Firm failed to tell 35 million users and 3.7 million drivers their data was hacked in 2016

Alex Hern Technology reporter

27, Nov, 2018 @11:03 AM

Article image
Parenting club Bounty fined £400,000 for selling users' data
Company illegally shared 34.4m records with 39 companies, information commissioner finds

Alex Hern

12, Apr, 2019 @2:40 PM

Article image
Yahoo fined £250,000 for hack that impacted 515,000 UK accounts
ICO says firm ‘failed to prevent’ 2014 Russia-sponsored hack after 500m accounts compromised

Samuel Gibbs

12, Jun, 2018 @2:53 PM

Article image
Customer data used for unwanted romantic contact, UK poll shows
Almost one in three people aged 18-34 have been messaged by staff after giving personal details to a business

Hibaq Farah

21, Aug, 2023 @11:01 PM

Article image
Labour reports former MP Joan Ryan over alleged data breach
Party claims MP contacted its supporters after quitting for the Independent Group

Jessica Elgot Political correspondent

21, Feb, 2019 @6:30 PM

Article image
New year honours list includes outspoken critics of government
Chris Bryant and Julian Lewis receive knighthoods while Michael Marmot gets Companion of Honour

Peter Walker Political correspondent

30, Dec, 2022 @10:30 PM

Article image
Information Commissioner's Office 'let down' over illegal snooping

Tougher sentences urged for hacking and subterfuge as police defend handling of News of the World case

Caroline Davies and James Robinson

02, Sep, 2009 @10:46 PM