Breach included details of celebrities such as Sir Elton John and former Tory leader Iain Duncan Smith
The Cabinet Office has been accused of “complacency” and fined £500,000 for accidentally disclosing the personal details of prominent recipients of the 2020 New Year Honours online.
Concluding a probe, the Information Commissioner’s Office (ICO) said the government had breached data protection law by publishing a file containing the names and redacted addresses of more than 1,000 people on the honours list.
The list included celebrities such as Sir Elton John, TV chef Nadiya Hussain, cricketer Ben Stokes, alongside the former Conservative Party leader, Iain Duncan Smith, who branded the breach in December 2019 a “complete disaster”.
The ICO said the Cabinet Office, which issued an apology at the time, had “failed to put appropriate technical and organisational measures in place to prevent the unauthorises disclosure of people’s information”.
It said a IT system acquired by the Honours and Appointments Secretariat for processing nominations had been set up incorrectly, which resulted in it generating a file with the addresses of the recipients which was then published on the gov.uk website.
While the Whitehall department removed the weblink to the file after noticing the error, it was still cached and accessed online 3,872 times over a period of two hours and 21 minutes.
Director of Investigations at the ICO, Steve Eckersley, said: “When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected
“At a time when they should have been enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.
“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.
“The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”
The ICO added it had received complaints from three of the individuals affected who raised personal safety concerns, while 27 contacted the Cabinet Office with similar issues.
However, the ICO also acknowledged the Whitehall department “acted promptly” when made aware of the breach, undertook a full incident review and has since instigated “instigated a number of operational and technical measures to improve the security of its systems”.
A Cabinet Office spokesperson told The Independent: “The Cabinet Office would like to reiterate our apology for this incident. We took action to mitigate any potential harm by immediately informing the Information Commissioner and everyone affected by the breach.
“We take the findings of the Information Commissioner very seriously, and have completed an internal review as well as implemented a number of measures to ensure this does not happen again.
“This includes a review of the overall security of the system, information management training and improving internal processes for how data is handled by the honours team.”