Boris Johnson's Cabinet Office Fined £500k For Leaking Data

The UK’s Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for a 2020 data leak that exposed the full names and addresses of the New Year Honours recipients on its gov.uk web page. The Cabinet Office a department of the British government directly responsible for supporting Prime Minister Boris Johnson. Over a 1,000 people were affected by the leak, with some complaining that they felt concerned for their personal safety. 

The ICO said the Cabinet Office had broken the Data Protection Act 2018 and was being charged according to the General Data Protection Regulations.

They included the addresses of includiing Sir Elton John, cricketer Ben Stokes, senior Tory Sir Iain Duncan Smith, TV chefs Nadiya Hussain and Ainsley Harriot, broadcaster Gabby Logan, Grease actress Olivia Newton-John and former director of public prosecutions Alison Saunders.

ICO found that the Cabinet Office had failed to put adequate measures in place to avoid such data breaches.
On 27 December 2019 the Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. People from a wide range of professions across the UK were affected, including individuals with a high public profile.

After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address. The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.

The ICO also found that the Cabinet Office failed to implement the appropriate technical and organisational measures in its IT systems to protect the data of those affected.

The team responsible for generating and publishing the list were under tight deadlines, the ICO reported, and instead of fixing the system, it attempted to amend the file instead. However, each time a new file was generated, the .CSV file included full addresses.

Despite removing the file shortly after posted it online, a cached version remained accessible to the public. The ICO reported the file was accessed 3,872 times in the period of two hours and 21 minutes that it was online.

The Cabinet Office confirmed that there were no specific or written processes in place at the time to sign off documents and content containing personal data prior to being sent for publication. The Cabinet Office said it wanted to "reiterate" a previous apology it made over the incident. A Cabinet Office spokesperson said: “The Cabinet Office would like to reiterate our apology for this incident … We take the findings of the Information Commissioner very seriously, and have completed an internal review as well as implemented a number of measures to ensure this does not happen again.”

ICO:     BBC:     ITPro:      Guardian:      Sky:    Daily Mail:      Computing:  

You Might Also Read: 

Over 40% Of UK Organisations Reported To ICO Since GDPR:

 

« Cyber Security In 2022
Britain's New Deals On Digital Trade & Cyber Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

WEBINAR: What Is A Next-Generation Firewall (and why does it matter)

WEBINAR: What Is A Next-Generation Firewall (and why does it matter)

Webinar Thur Apr 20 - join us to hear security experts from SANS and AWS break down the myths and realities of what an NGFW is and what one can do for your security posture.

Cyberis

Cyberis

Cyberis is an independent information security consultancy delivering coherent security, risk management and assurance through a unified range of innovative services and solutions.

Davis Wright Tremaine (DWT)

Davis Wright Tremaine (DWT)

Davis Wright Tremaine is a full-service law firm with offices throughout the US and in Shanghai, China. Practice areas include Technology, Privacy & Security.

infineon - IoT Security

infineon - IoT Security

Infineon is a leader in semiconductor solutions for a huge range of applications including automation, smart systems and security for the Internet of Things.

Genie Networks

Genie Networks

Genie Networks is a leading technology company providing networking and security solutions for optimizing the performance of large networks.

BehavioSec

BehavioSec

BehavioSec uses the way your customers type, swipe, and hold their devices, and enables them to authenticate themselves through their own behavior patterns.

Sandia National Laboratories

Sandia National Laboratories

Sandia National Laboratories is a premier science and engineering lab for national security and technology innovation. Activity areas include Cyber and Infrastructure Security.

Finnish Accreditation Service (FINAS)

Finnish Accreditation Service (FINAS)

FINAS is the national accreditation body for Finland. The directory of members provides details of organisations offering certification services for ISO 27001.

CYDES

CYDES

CYDES is the first event in Malaysia to showcase advanced solutions and technologies to address cyber defence and cyber security challenges for the public and private sectors.

Gorodissky IP Security

Gorodissky IP Security

Gorodissky IP Security is a comprehensive approach to protecting your intellectual property on the Internet and beyond.

Corsha

Corsha

Corsha is on a mission to simplify API security and allow enterprises to embrace modernization, complex deployments, and hybrid environments with confidence.

Satori Cyber

Satori Cyber

The Satori Cyber Secure Data Access Cloud is the first solution on the market to offer continuous visibility and granular control for data flows across all cloud and hybrid data stores.

Qrator Labs

Qrator Labs

Qrator Labs is a leader in DDoS attack mitigation, helping organizations protect their websites from the most harmful, sophisticated DDoS attacks.

Trava Security

Trava Security

Trava simplifies cyber risk management for business owners and IT professionals. Automated assessments, mitigation advising, and data-driven cyber insurance.

Innefu Labs

Innefu Labs

Innefu is an Information Security R&D startup, providing cutting edge Information Security & Data Analytics solutions.

LocateRisk

LocateRisk

LocateRisk provides more efficiency, transparency and comparability in IT security with automated, KPI-based IT risk analyses.

RMC

RMC

RMC was purpose-built for Mission Assurance and ICS/OT cybersecurity, dedicated to strengthening and protecting government and commercial assets.