Every New Year's Day, the UK publishes a list of recipients of a range of "honors" for achievements and service in public life. However, alongside the names of those in receipt of awards, the New Year Honours' list for January 2020 briefly featured the full address of each recipient – a serious breach of data security by the UK government's Cabinet Office.
Data leakage is a failure of people, process, and technology
There are over 1,000 recipients of the latest New Year Honours – some are well-known public figures and others have received awards for services to a range of areas including healthcare, homelessness, and education. Names are published when the awards list is announced, but other personally identifiable information (PII), such as full address details, is confidential and should remain so.
The Cabinet Office has reported itself to the UK Information Commissioner's Office (ICO) – another government body – in accordance with the General Data Protection Regulation (GDPR) breach rules, which state that the ICO must be informed within 72 hours of discovering a personal data breach. The Cabinet Office has also stated that it is in the process of contacting all affected individuals, also in accordance with GDPR. The process of reporting a data breach appears to be well established in this department of the UK government.
However, investigations will be underway by both the ICO and the Cabinet Office as to what went wrong on this occasion to lead to the exposure of information. In Ovum's opinion it is doubtful that this high-profile data leak will be the result of a single failure; instead, a combination of process, people, and technology failures is likely.
There have potentially been two process failures. The first is in the classification of the document containing PII, which should have been set to "confidential" and therefore prevented from being shared. The second is the process of selecting and assuring the right document to upload. There is the possibility that the appropriate training and education had not been provided to the individual(s) involved in uploading the document. Technology for data leakage protection (a term interchangeably used with data loss prevention – both DLP) should apply security policy to information to ensure that confidentiality is maintained. If the document was correctly classified but was still selected in error, then DLP should have prevented the information from being exposed.
What this leak shows is that even organizations with the highest of profiles are not immune to lapses in security controls. Organizations should regularly review security controls to ensure that they are still fit for purpose.
Cybersecurity: Impact and Opportunities, INT003-000336 (March 2019)
The Insider Threat: Know it and work with it, INT003-000259 (October 2018)
"Education is necessary to improve security behavior," INT003-000350 (April 2019)
Maxine Holt, Research Director