The home addresses of more than a 1,000 people honoured on the New Year’s list was left exposed on a government website according to The Guardian. The list which included celebrities, government employees and politicians was accessible to anyone.
Public figures including Elton John, politician Iain Duncan Smith and NHS England’s chief executive, Simon Stevens were among those whose home addresses were published. This is a major data breach from the government that puts a lot of people in a vulnerable position. Ministry of Defence staff and senior counter-terrorism officers due to receive honours were also on the spreadsheet.
A member of the public made the discovery when they were able to download the spreadsheet and contacted the Guardian. The document seen by the Guardian contains the details of 1,097 people. Some of the Ministry of Defence staff named in the list had their addresses redacted but a vast majority of people’s house numbers, street names and postcodes were public. The list was taken down early on Saturday.
The Cabinet Office responds
A Cabinet Office spokesperson apologised for the error and said it had reported itself to the Information Commissioner’s office. The office claimed the version of the New Year honours 2020 list was published in error and the information was removed as soon as possible.
“We apologise to all those affected and are looking into how this happened. We have reported the matter to the ICO and are contacting all those affected directly.”
Under GDPR, a data breach must be reported to the ICO within 72 hours.
Jamal Ahmed, Fellow of Information Privacy and Director of Kazient Privacy Experts provided his opinion on the revelation, “I find this very concerning; the Cabinet Office (amongst other things) is responsible for supporting the National Security Council and Joint Intelligence Organisation coordinating the government’s response to crises and managing the UK’s cybersecurity.
“This incident is indicative of a lack of appropriate Data Privacy training and awareness at the Cabinet Office as well as an absence of appropriate technical and organisational measures demonstrating a failure to comply with the GDPR/DPA 2018.”
The Director of the award-winning GDPR consultancy firm also adds, “The unauthorised disclosure of some of the personal information such as home addresses is likely to cause distress to many on the list.”
“Article 82 of the GDPR grants any person who has suffered material or non-material damage as a result of an infringement of the GDPR the right to receive compensation for the damage suffered.
Ahmed concludes with advice for those affected by the breach,
“I would encourage those affected to get in touch with their lawyers and suggest the Cabinet Office get the cheque book ready.”
The ICO is yet to comment.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.