Dec 5, 2021 | Blog

Cabinet Office Fined for Serious Data Breach

Howard Freeman

Howard Freeman

Howard Freeman – November 2021

A ‘complete disaster’ is how the publication of the home addresses of recipients of awards in the 2020 New Years Honours List has been labelled

Iain Duncan-Smith, called for an urgent inquiry into the incident. He also warned of legal action likely to follow so this is highly embarrassing for the government.

The Cabinet Office has been accused of putting lives and safety at risk. The accusation was made after publishing the names and home addresses of over 1,000 recipients of awards. The details of celebrities, politicians, police, military and intelligence officials were accidentally published. The Cabinet Office has been fined £500,000 by he ICO. A bill that will no doubt be paid by you, the UK tax-payer.

The publication of the home addresses of recipients of awards in the 2020 New Years Honours List included Sir Elton John’s

Richard Walton, the former head of counter terrorism at Scotland Yard said the error could endanger honoured officials working in sensitive roles for the police and intelligence services.


The release of the private addresses of these individuals into the public domain increases risk. This could result in some having new private security measures introduced into their homes, Mr Walton said.

Iain Duncan Smith added, security implications were very concerning. Sir Ian said: “ministers need to be asking some very serious questions of those involved about how this was allowed to happen. Why were no final checks were carried out before the document was published?”. The document was published on the web site but quickly removed. However, the data was accessed 3.872 times, over a period of two hours and 21 minutes.

An unnamed senior counter terrorism official called for the resignation of cabinet secretary Sir Mark Sedwill, who also holds a role Boris Johnson’s national security advisor.

Lord Kerslake told BBC Breakfast: “It is a serious and indeed extraordinary breach. This is a well stablished process that has gone on in pretty much the same way for years. I think an urgent investigation is certainly needed”.

Warning of legal action, he also said: “even if individuals don’t take action, the information commissioner is legally bound to investigate it. we know that in other instances weather has been a significant data breach, the potential fines are very large indeed.

The ICO has said that it is now investigating. The details of the vast majority of the 1097 recipients were made public. The recipients included Sir Elton John, cricket star Ben Stokes and Bake Off winner Nadiya Hussein. Following the accidental publication, the details were removed an hour later.

The Cabinet Office has apologised and has referred itself to the regulator. The ICO has received three complaints so far. The Cabinet Office added that it had instigated a number of operational and technical measures to improve the security of its systems. Such measures should have been in place before this happened, not after! They have promised staff training! A little late perhaps!

The Law

The introduction of the general data protection regulation in 2018 has increased the penalties available to the regulator though interdepartmental fines are pointless.

This is clearly a farcical error and totally inexcusable. The government should be fully aware its responsibilities under the GDPR and the new data protection act passed in 2019. The fact it can’t stick to its own rules is just further embarrassment for the government.

John Trickett’s, shadow minister for the Cabinet Office, said the incident showed incompetence that is unacceptable.

In writing this article, am in no doubt that an urgent inquiry will take place. Improvements in the Cabinet Office will follow quickly. Data breaches happen everyday. Many businesses simple simply fail their clients and partners with inadequate protection.

The bigger question is about money! The fine of £500,000 is from one Government Department to another. Therefore, it is largely pointless. However, legal action from those on the list will be a different issue. Compensation in Class Actions can be very high and yet again it is the tax-payer who foots the bill.

The person in charge must be accountable. However, that normally involves a resignation onto a bountiful Civil Service pension. The GDPR, or in particular, the UK version thereof should have a clause of criminal liability to encourage leaders to enforce the regulation.

The Reality

There is no surprise that this has happened. We hear from business and government very day. They simply do not understand the law and the fact that the GDPR is a LEGAL requirement. The ICO needs to push harder to get this message home. However, we seeing to be educating the market when It is not our job. The ICO needs to earn the much maligned registration fee instead of irrelevant fines. The ICO must enforce the law!

Do you understand the law? Can you honestly be sure you are compliant and that this won’t happen to you? Take the challenge and call us. We offer a free one hour consultation with a free, no obligation health check and report. Call us on 03333 22 1011 or contact us here.


Can we help?