On 27 December 2019, the Cabinet Office inadvertently published a spreadsheet online containing personal data of the 1,097 recipients of New Year Honours. This disastrous data breach detracted from the announcement of the honours, but the greater concern is that the breach exposed the recipients and their families to risk of serious harm, harassment and cyber-attacks.
The data breach
The published spreadsheet contained names, full home and work addresses of the recipients, including celebrities such as Nadiya Hussain and Elton John as well as members of the armed forces, counter-terrorism officers and emergency services.
The Cabinet Office responded quickly – taking down the spreadsheet after an hour and has apologised for the data breach. It appears the spreadsheet was uploaded in error, presumably the names were intended to be uploaded but the additional personal data was not intended to be included in the spreadsheet. It is a reminder of the importance of a “gateway” approach being adopted to any processes which involve data uploads and public disclosures of any source of personal data to minimise human errors. The Information Commissioner’s Office (ICO) is “making enquiries” into the data breach.
Consequences of the data breach
This accidental disclosure of personal data is a significant security breach, particularly as recipients of honours included senior police and Ministry of Defence staff. Once information like this is disclosed it’s hard to put right. Understanding how many times and by whom the data has been downloaded will be almost impossible.
How does a breach like this relate to my business?
This data breach illustrates how human error can lead to significant data breaches. It calls to mind other instances where ministers revealed sensitive information when photographed carrying uncovered reports and memoranda.
Under the General Data Protection Regulation, the ICO can now impose substantial fines for data breaches such as this. The maximum fine that the ICO can impose is the higher of €20 million or 4% of global turnover. We would expect any enforcement to be proportionate to the scale of the breach and the consequences for data subjects which are significant. However, it is not thought there was any intention or poor security measures on the part of the Cabinet Office. As such, any fine may be at the mid to lower end of the spectrum compared to deliberate disclosure or poor security measures that led to a cyber-attack which are more likely to be at the higher end.
How can I protect my business?
Businesses that process personal data, especially those which disclose or publish parts of this data are particularly exposed to such risks. Having robust processes in place around how you handle personal data and how you check and gate disclosure is crucial. Human error is inevitable even with the increased use of technology and this risk needs to be gated as part of any process. Should a data breach occur, businesses can mitigate the consequences through effective incident response, including effective and prompt communications with affected data subjects and the ICO.
The Cabinet Office reported the incident to the ICO promptly as is good practice. It also informed recipients, apologised to them and offered support and guidance.
What happens next?
Affected recipients could claims for damages under the GDPR, whether individually or as part of a class action, via a group litigation order. Parties can make claims for distress even if they can’t prove financial or other direct loss. We are also expecting the ICO to report on the breach.
How can we help you?
We advise on the different aspects of data and cyber security and we’d be happy to help you with any questions you have or support you may need.
Please get in touch with Rebecca Steer at firstname.lastname@example.org for an initial free of charge consultation.