The Post Office has dodged a potential regulatory fine of over £1m ($1.3m) following a 2024 data breach in which it leaked the personal information of hundreds of postmasters litigating the company.
Data protection regulator the Information Commissioner’s Office (ICO) said in an update yesterday that the names, home addresses and postmaster status of 502 people were made publicly accessible from April 25 to June 19 2024.
The information was made available in an unredacted version of a legal settlement document on its corporate website, related to the notorious Horizon IT scandal.
Widely considered the biggest miscarriage of justice in British legal history, over 900 sub-postmasters were prosecuted for false accounting and theft, when in fact the problem lay with the Horizon IT systems the Post Office was using. Many served prison sentences or suffered bankruptcy as a result.
The ICO claimed that it considered a fine of just under £1.1m for the data breach, but didn’t think that the infringements reached the threshold of “egregious” under its public sector approach.
That approach, which has been criticized in the past, posits that fines aren’t an effective deterrent in the public sector and only serve to further undermine the UK’s creaking public services. The Post Office is a limited company wholly owned by the government.
As a result, the Post Office has received only a reprimand from the ICO. That’s despite it failing to implement appropriate technical and organisational measures to protect people’s information.
The ICO added that the company lacked documented policies or quality assurance processes for publishing documents on its corporate website, and that staff training was insufficient.
Lessons Learned
The ICO did acknowledge that the Post Office offered compensation to all those impacted by the breach, as well as identity protection services for 24 months. It also contacted search engines to remove cached versions of the document.
The Post Office established an emergency working group for improving internal controls, and produced a documented policy for publishing information on its corporate website, the ICO added.
The regulator said organizations should learn the following from the incident:
- Have a clear protocol for publication of sensitive documents online, including multi-step approvals
- Ensure all teams recognize personal information, and can assess its sensitivity and potential reputational/emotional impact if published
- Centralize and classify documents using secure, shared repositories with clear access controls and classification labels, rather than personal storage like OneDrive
- Ensure everyone involved in publishing content understands their role and responsibility
- Deliver personalized training to relevant teams covering publishing protocols, data classification, and risk awareness
Image credit: shawnwil23 / Shutterstock.com