Cabinet Office data breach fine – 6 key takeaways

December 2021

A data breach could be blamed on human error, when the real culprits are a lack of controls, checks and balances

The ICO has fined HM Government’s Cabinet Office £500,000 for a data breach, following the disclosure of people’s home addresses published in the New Year’s Honours List.

What went wrong and what lessons can we learn?

How did the data breach happen?

Here’s a summary – yes it’s quite dry but worth looking at. It illustrates how the devil really is in the detail when it comes to systems and end-user requirements from a data protection perspective.

  • In 2019, a new IT system was introduced in the Cabinet Office to handle public nominations for the New Year Honours.
  • The ICO investigation found the system was set up incorrectly; it was mistakenly configured to generate a CSV file which included people’s postal addresses. This should not have happened and was not a feature requested in the original build requirements.
  • Testing took place on the reports the system generated, but the postal address column went unnoticed. It’s believed this was partly due to the large number of fields in the spreadsheet and the focus being on making sure the list of successful Honours recipients was accurate.
  • Instructions were provided to staff to explain the process for running the reports. However, these were based on how the system should have been set up (i.e. the original build requirements) and didn’t include checks to make sure extraneous personal data was removed.
  • The error was identified at a later stage, but due to tight timescales to get the Honours list published, it was decided the file should be amended rather than making modifications to the IT system itself. A decision was taken to hide the postal address information, however it was still contained within the document itself, as it had not be deleted.
  • When the list was published on the Cabinet Office website on Friday 27 December at 10.30pm, this data became visible, and people’s postal addresses were accessible.
  • Some of the data affected was already in the public domain. However, numerous postal addresses which were not in the public domain were made public.

Steve Eckersley, ICO Director of Investigations, said: “The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.”

Action taken following the data breach

Within thirty minutes of the list being published, a member of the Government Communications Team alerted the Cabinet Office to the breach.

The list was quickly republished, removing the link to the offending CSV file. However, due to the automatic caching on the gov.uk website the file continued to be accessible (seriously, caching is the bane of my life too!).

A developer finally managed to permanently delete the CSV file shortly before 1am on the Saturday morning.

I’m sure this was an, er, interesting Friday night for those involved.

Individuals affected by the breach were contacted within 48 hours via email or telephone, and a few were contacted by post.

The Cabinet Office notified the ICO within 72 hours of becoming aware of the breach in accordance with GDPR.

In its enforcement notice the ICO acknowledges that the Cabinet Office acted promptly and undertook a full incident review.

Since the breach, it is reported a number of ‘operation and technical’ measures have been implemented to improve the system security and an independent review focusing on the handling of data was completed in 2020.

You can read more detail in the full enforcement notice

6 key takeaways

The ICO investigation and an independent review examined the Cabinet Office’s data handling practices in light of this breach. The findings provide useful tips on measures we should be considering and steps we should be taking. All of these speak to the need to take a Privacy by Design approach.

1. New systems

The review report said; “Interviewees raised a number of concerns around the procurement of new software to run their data handling processes. Some said that financial considerations meant that off-the-shelf solutions were chosen to run processes that, given their complexity, warranted bespoke solutions”.

A stark lesson: we need to make sure appropriate due diligence is conducted both at the procurement stage and when scoping the requirements for tech solutions, and ensuring development accurately matches that agreed scope. We need thorough UAT (user acceptance testing). We mustn’t roll-out new systems/software too quickly. Cutting corners can lead to mistakes.

Conducting a Data Protection Impact Assessment can often be really useful way of identifying and mitigating risks from the outset.

2. Procedures and processes

Staff need to be aware of, and have access to, clear data handling procedures and processes. In this case it was found procedures were insufficient or incorrect. There was also a lack of instructions for what to do in a crisis (i.e. how to reverse publication once the breach had occurred).

Are you confident your staff know how to handle data appropriately? Are your processes regularly reviewed and updated? Have you practiced or ‘war-gamed’ worse-case scenarios?

3. Out of hours incidents

It’s a bit of cliché, but data breaches inevitably occur at the worst possible time – at the weekend or on a Bank Holiday. Sod’s law they will happen when key people are on holiday or unavailable.

The Cabinet Office suffered a breach at 10.30pm, on a Friday, in between Christmas and New Year. They aren’t the first, and certainly won’t be the last to have this happen at the worst possible time.

Does your data incident plan cover such eventualities? A common gap can be not having mobile numbers for key people and not having contact details for ‘a second in command’ if the key person isn’t available.

Credit where credit’s due – in the circumstances I think it’s impressive they managed to get in touch with affected individuals within 48 hours and got their notification into the ICO within 72 hours.

4. Time pressures

Many businesses are high-tempo, with new systems and projects putting pressure on employees to meet deadlines and deliver on time.

The review of the Cabinet Office found there was regular pressure to deliver on urgent political priorities; “The pace required to deliver on these priorities was cited by some business units and stakeholders as potentially compromising the disciplines of good personal data handling”.

Is your organisation at risk of pushing too hard to the detriment of data protection? Are people aware of the potential risks?

5. Training and awareness

The Cabinet Office had seven modules in their “Responsible for Data” e-Learning. However they were unable to provide the ICO with a clear percentage of who’d completed the training.

The regulator found employees in the Press Office and Digital Team, who were also involved in the process of the data being published, hadn’t received data protection training in the past two years.

This demonstrates the importance of not only making sure staff receive adequate, regular and appropriate training, but also why its important to keep records too.

6. Accountability

Do you have clear lines of accountability and responsibility? It’s a potential recipe for disaster to leave less experienced or junior members of staff to handle important jobs (especially late on a Friday night). Are senior members of staff available to sign off and check things when required?

In summary…

When I first heard of this breach back in December 2019, my heart sank for those involved in pushing the button. Would the finger inevitably be pointed at them for making such a big and very public mistake?

But I also thought, how could it have got to this stage? How could there not have been checks and balances in place throughout the process to make sure people’s private postal addresses could never be published?

In the independent review commissioned by the Cabinet Office, the following important observation is made: “Breaches, such as the one that impacted New Year’s Honours recipients in December 2019, are too easily assigned to human error where a greater consistency of process, controls and culture across Cabinet Office could have reduced the risk systemically”

We all have feet of clay, and this is not an issue which will be limited to the Cabinet Office.

 

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.