The UK’s Information Commissioner’s Office (ICO) fined the Cabinet Office for failing to put in place the appropriate technical and organizational measures to prevent unauthorized disclosure of recipients of New Year’s honors.
Twice a year, the government awards a mixture of honors – knighthood and order of the bath, etc. – to a list of people deemed worthy.
The ICO has now fined the Cabinet Office – the unit that works in all government departments on behalf of the Prime Minister – £ 500,000 for unauthorized disclosure of personal information, which is a violation of the law on data protection, during the gong manna of December 27, 2019.
The Cabinet Office posted a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people featured in the New Year’s Honors List. After learning of the data breach, the Cabinet Office removed the web link to the file, but cunning criminals cached the file and made sure it was accessible online.
The personal data was available online for a period of two hours and 21 minutes and was accessed 3,872 times, the ICO said. He received three complaints from affected individuals who raised personal safety concerns resulting from the breach. The Cabinet Office was also contacted by 27 people with similar concerns.
ICO Director of Investigations Steve Eckersley said: “The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially at risk of identity fraud and fraud. threats to their personal safety. Today’s fine sends a message to other organizations that protecting people’s information safely, as well as regularly checking that appropriate measures are in place, must be high on their agendas. “
According to the ICO, the Honors and Nominations Secretariat (HAS) within the Cabinet Office introduced a new IT system in 2019 to process public nominations for New Year’s honors. But it was configured incorrectly, which resulted in CSV files containing postal address data.
Due to the tight deadlines for the release of the New Year’s List, the HAS operations team decided to modify the record instead of modifying the computer system. However, whenever a new file version was generated, the mailing address data was automatically included in the file.
The Cabinet Office has since taken a number of operational and technical measures to improve the security of its systems, and an independent, data-driven review was completed in 2020. Elizabeth Denham has stepped down as Information Commissioner November 30, 2021. John Edwards, The New Zealand Privacy Commissioner will take office on January 3, 2022.
In the meantime, Paul Arnold, Deputy Director General of the ICO, will be appointed as the ICO’s accountant from December 1, 2021 to January 2, 2022. ®