New Years Honours data breach, recipients announced…along with their addresses.
December 30, 2019 |
The UK practice of announcing the New Years Honours recipients in the period between Christmas and New Years has turned into a disaster this year. There was no controversy as to who the 1,097 recipients were. It was just that both the recicpients’ names and addresses were published online. The addresses included those of senior police officers and celebrities who may enjoy some limelight but are usually wary of divulging where they live.
This is a serious data breach pure and simple. It happens with depressing frequency and is almost invariably caused by human error. In my experience it often involves a distracted, poorly trained or overworked (or all three) staff member in the Cabinet Office attaching a PDF to a media release or engaging in a very sloppy cut and paste and sending without reviewing. This “drag and drop” practice of attaching documents from a file to an email, without properly considering the documents in question, is quite common and fraught. While ground zero may be the person who released the information and caused the data breach the management should take part of the blame. How a staffer could handle such sensitive material without some form of oversight is quite extraordinary.
The BBC piece New Year Honours: Publication of addresses a ‘complete disaster’ provides excellent coverage of the debacle:
The online publication of the addresses of more than 1,000 New Year Honours recipients was a “complete disaster”, a former cabinet minister has said.
Iain Duncan Smith, who was knighted, said ministers needed to ask “very serious questions” about how it had happened, while a former civil service chief called it a “serious failure”.
The Cabinet Office has apologised and says it is investigating.
Details of celebrities, senior police officers and politicians were released.
The list of 1,097 honours recipients – including high-profile names such as Sir Elton John, cricketer Ben Stokes, TV cook Nadiya Hussain and former director of public prosecutions Alison Saunders – was uploaded to an official website on Friday evening and removed on Saturday.
Most of the entries in the spreadsheet included full addresses – including house numbers and postcodes. The Cabinet Office said the document was visible for about an hour.
Former head of the civil service Lord Kerslake told the BBC the government could face legal action from those whose addresses were published, as well as from the Information Commissioner’s Office (ICO).
“At the point when people are most happy about having received the honour and most proud, to have the information released like this is is really bad news.
“So I can see why they (those honoured) might be very concerned.
“But even if individuals don’t take it forward the information commissioner has to investigate it and we know that in other instances where there’s been significant data breaches the potential fines are very large indeed.”
Lord Kerslake said those who handled the honours were “very good and effective” during his time but insisted his successor Sir Mark Sedwill “shouldn’t in my view think about resigning”.
And, in an interview on Radio 4’s Broadcasting House programme, he suggested “human error” could be to blame for the leak and called on investigators to look at whether staff were given training on data regulation.
Former Tory leader Sir Iain told the Sunday Times: “Ministers need to be asking some very serious questions of those involved about how this was allowed to happen and why no final checks were carried out before the document was published.”
As work and pensions secretary Sir Iain introduced controversial changes to the benefits system – Labour criticised his knighthood calling him the “primary architect of the cruel Universal Credit system, which has pushed thousands of people into poverty”.
Sir Iain said most of his details were already in the public domain.
“It’s much more concerning for private citizens, like those who have been involved in policing or counter-terrorism or other such sensitive cases, to have their addresses published,” he added.
‘Much depends on the attitude of those affected’
There is no doubt that this is a serious data breach and the government, of all organisations, should be better acquainted with the law on disclosing sensitive personal information.
But while some of the celebrities and the police officers awarded honours may be concerned about their privacy and security, it would have been far more serious if the home addresses of those on the list of gallantry awards had been leaked.
The Information Commissioner’s Office has so far only levied one fine under the new Data Protection Act which came into effect in 2018 – a London pharmacy was fined £275,000 for careless storage of the very sensitive medical data of half a million people.
Lawyers who specialise in data protection think the ICO will see this as a less serious case of human error and may let the Cabinet Office escape with a warning about improving its practices.
But they say much now depends on the attitude of those who have seen their data leaked – they could decide to bring civil claims against the government for putting in the public domain information many of them have been determined to keep private.
Taekwondo world champion Jade Jones, who became an OBE, told BBC News on Saturday evening that she had not been contacted about the breach.
“Obviously mistakes can be made and I know it is dangerous people’s addresses getting out but, you know, I’m sure they didn’t do it on purpose.
Asked whether she found the leak concerning, she replied: “It is scary but it’s a good job I do taekwondo.”
A government spokesman said: “A version of the New Year Honours 2020 list was published in error which contained recipients’ addresses.
“The information was removed as soon as possible.
“We have reported the matter to the ICO and are contacting all those affected directly.”
The ICO, which has the power to fine organisations for data breaches, said it would be “making enquiries”.
Data rights lawyer Ravi Naik warned that anyone who came across the information should tell the ICO and not pass it onto others – because they themselves might face legal action.