UK Government Fined Over Honors List Data Breach

The UK’s data watchdog has slapped the British government with a hefty fine for exposing the addresses of individuals chosen to receive honors. 

The Information Commissioner’s Office (ICO) said that the safety of hundreds of 2020 New Year Honors recipients had been placed in jeopardy after their personal data was published online.

“On 27 December 2019 the Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honors list,” said the ICO in a statement released Thursday. 

Among the figures impacted by the unauthorized disclosure of personal information were musician Elton John, TV chef Nadiya Hussain, former NHS England chief executive Simon Stevens, former director of public prosecutions Alison Saunders, and cricketer Ben Stokes. 

The addresses of the honorees were available online for two hours and 21 minutes. During that period, the information was accessed 3,872 times. 

“After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address,” said the ICO.

Three complaints were received from the ICO by individuals whose data was exposed in the incident. A further 27 people contacted the Cabinet Office to raise concerns over the personal safety of the honorees following the breach. 

The ICO found that officials at the Cabinet Office had breached UK data protection laws by failing to put in place “appropriate technical and organizational measures” to prevent the publication of the addresses.

On Thursday, the ICO fined the Cabinet Office £500,000 (approximately $661,000) over the data debacle. 

“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety,” said the ICO’s director of investigations Steve Eckersley.

“The fine issued today sends a message to other organizations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.

What’s Hot on Infosecurity Magazine?