Government fined £500,000 for New Year honours data breachon December 2, 2021 at 11:40 am

The government has been fined £500,000 for mistakenly sharing the postal addresses of more than 1,000 New Year Honours recipients online.

Singer Sir Elton John, sports presenter Gabby Logan and TV cook Nadiya Hussain were among those affected.

The Information Commissioner’s Office (ICO) found that the Cabinet Office had failed to put adequate measures in place to avoid such data breaches.

The error, which occurred in 2019, resulted from “complacency”, it added.

The government apologised for the data breach and said it had put measures in place to avoid a repeat of it.

On 27 December 2019 the Cabinet Office, the government department which handles honours. published a file on the gov.uk website showing the unredacted addresses of 1,097 people receiving New Year honours for 2020.

After officials became aware of the data breach, the weblink to the file was removed, but it was still cached and available online to people typing in the exact web address.

The data was online for two hours and 21 minutes and was accessed 3,872 times.

Cricketer Ben Stokes, chef Ainsley Harriott and former Ofcom boss Sharon White were also among those affected.

The ICO received three complaints from people whose details were shared.

Its director of investigations, Steve Eckersley, said: “At a time when [the recipients] should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.

“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.

“The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”

The Cabinet Office said it wanted to “reiterate” a previous apology it made over the incident.

A spokesperson added: “We took action to mitigate any potential harm by immediately informing the information commissioner and everyone affected by the breach.

“We take the findings of the information commissioner very seriously, and have completed an internal review, as well as implemented a number of measures to ensure this does not happen again.

“This includes a review of the overall security of the system, information management training and improving internal processes for how data is handled by the honours team.”