United Kingdom
Cabinet Office
GDPR enforcement action by Information Commissioner (ICO) on 2021-11-25.
Case details
- Authority
- Information Commissioner (ICO)
- Date
- 2021-11-25
- Controller / Processor
- Cabinet Office
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 5 (1) f) GDPR, Art. 32 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The UK DPA (ICO) has fined the Cabinet Office EUR 585,000.
On December 27, 2019, the Cabinet Office published a file on GOV.UK containing the names and uncensored addresses of more than 1,000 individuals who had received New Year's honors. Individuals from a wide range of professions across the United Kingdom were affected, including individuals with a high public profile.
After learning of the data breach, the Cabinet Office removed the web link to the file. However, the file was still in the cache and was accessible online to people who had the exact website address.
The disclosed personal data was available online for two hours and 21 minutes and had been accessed 3,872 times.
The breach occurred due to an error in the setup of the Cabinet Office's new IT system.
The ICO found that the Cabinet Office failed to take appropriate technical and organizational measures to ensure a level of protection appropriate with the risk to data subjects.
Related fines