‘Significant risk’ of more Cabinet Office data breaches
A UK Government department admonished for leaking honours list details is at “significant risk” of making further and bigger personal data breaches, a review has found.
The Cabinet Office apologised after the home addresses of celebrities, military figures and elderly people named in the 2020 New Year Honours list were inadvertently posted online. Adrian Joseph, conducting a review of the department’s handling of personal data, found such breaches were “too easily assigned to human error” where a “greater consistency of process, controls and culture” could have “reduced the risk systemically”. He said in his executive summary: “There is a significant risk that further and more impactful breaches will occur as the amount of personal data being handled by the department increases.”
Mr Joseph said recommendations in his review, including confirmation of a new data strategy and refreshed training, sought to offer protection in the system when it comes to dealing with personal data.
The reviewer, whose position is listed as managing director at BT, said he had observed good examples of processes and controls exist.
But Mr Joseph said “inconsistent application and lack of monitoring” limited the ability to protect against and respond to data breaches.
The Cabinet Office has amassed more than 200 million emails, documents and other digital files since it first began storing such information 20 years ago, the report noted.
It also said this is expected to increase by more than 50 million records a year, adding not all of it will contain personal data. Data the department handles includes HR responsibilities for almost 8,000 employees and, from April 2020, security vetting.
This involves processing personal data, including on relationships, financial affairs and political beliefs.
Google Drive is the standard platform for all “Official” and “Official-sensitive” information within the department, the report explained.
On the New Year Honours breach, the review said the offending details were online and accessible for “approximately 40 minutes” before the error was identified and the link removed.
It added: “The document was still available to those who knew the specific URL address for a further 150 minutes.”
Sir John Manzoni, permanent Secretary for the Cabinet Office, said “some steps” have already been taken to improve the handling of personal data across the department