The Information Commissioner’s Office (ICO) has fined the UK government £500,000 for unwittingly exposing the personal data of 1,097 New Year Honours recipients.
The incident occurred on December 27, 2019, when the Cabinet Office published a file containing the names and addresses of over 1,000 people, including prominent public figures and more than a dozen MoD employees and senior counter-terrorism officers.
The data was exposed due to an IT system misconfiguration at the Honours and Appointments Secretariat (HAS) that mistakenly generated a CSV file including the postal addresses of New Years Honours recipients.
“Due to tight timescales to get the New Year Honours list published, the HAS operations team decided to amend the file instead of modifying the IT system. However, each time a new file version was generated, the postal address data was automatically included in the file,” the ICO explained.
The data was published at 10.30 pm on Friday and accessed 3,872 times in just two hours and 21 minutes, according to the ICO investigation.
“When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected,” said Steve Eckersley, ICO Director of Investigations. “At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed. The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.”
The ICO said it received three complaints from affected individuals, while the Cabinet Office was contacted by 27 people who expressed security concerns. Since the incident, the Cabinet Office has improved its security and reviewed its data-handling procedures.
Not sure what to do when your data is involved in a data breach or leak? Use Bitdefender’s Digital Identity Protection service to get alerts for data breaches and privacy threats. You get instant access to a mapping of your digital accounts and publicly available data, allowing you to assess your risk levels using only the information provided in the onboarding process (email address and phone number). You can stop worrying about what to do next. The service gives you easy-to-follow one-click action items that allow you to instantly shut down any weak points in your digital footprint.