British government fined 590,000 euros for leaking address list
The British privacy watchdog ICO has imposed a fine of 590,000 euros on the British government. In 2019, the government had accidentally published a list of the addresses of 1097 people.
The ICO writes that the government has “failed to take appropriate technical and organizational measures to prevent the unauthorized disclosure of people’s information.” According to the watchdog, the personal data was available online for two hours and 21 minutes and the website on which it was published was consulted 3,872 times.
“The inability to mitigate the risk of a data breach has left hundreds of people potentially exposed to the risk of identity fraud and threats to their personal security,” said ICO CEO Steve Eckersley. “The fine imposed today is a signal to other organizations that the safe handling of people’s data and regular monitoring of the right measures should be at the top of their agenda.”
The CSV file with address details was published at the end of 2019 on an official website of the British government. The list consisted of candidates for the New Years Honours, an event where various prizes are awarded to, among others, Britons who have done charitable work. The list was maintained in a system that was new at the time, in which the nominations were processed.
Due to the approaching deadline for the publication of the New Year Honors list, the responsible office decided to change the CSV file instead of modifying the system. However, whenever a new version of the file was generated, the postal address information was automatically included in the file. As a result, the address details of the nominees were visible to every website visitor.
After the government became aware of the data breach, the web link to the file was removed. However, the file was still cached and accessible online to people who had the exact web address.
The list included full addresses of Elton John, former Conservative Party chairman Iain Duncan Smith and prosecutor Alison Saunders. Employees of the Ministry of Defense and terrorist fighters were also on the list, reports The Guardian. In total, the file contained data on 1097 individuals.