Cabinet Office

What happened

The ICO fined the UK Cabinet Office £500,000 for disclosing the postal addresses of the 2020 New Year Honours recipients online. The Cabinet Office published the home addresses of over 1,000 people, including those who had been honoured for their contributions to national security, intelligence, and law enforcement. The data was accessible on the official government website for several hours before it was identified and removed. The ICO found that the Cabinet Office failed to put in place appropriate technical and organizational measures to prevent the unauthorized disclosure. The data was supposed to be redacted before publication, but human error and inadequate review processes led to the unredacted file being uploaded.

Articles violated

Lessons learned

Even government departments must implement robust data handling procedures, especially when publishing information online. Human error is a leading cause of data breaches — automated redaction tools and mandatory review processes should be implemented for any public-facing data publication. Publishing home addresses of individuals involved in security and intelligence creates serious safety risks. Organizations should implement a 'four eyes' review principle where sensitive data is checked by multiple people before publication.