[BreachExchange] New Year Honours: Government faces multi-million pound compensation bill over leaked private details

Destry Winant destry at riskbasedsecurity.com
Tue Dec 31 10:08:47 EST 2019


The Government is facing fines and a compensation bill running into
millions of pounds after the disclosure of the home addresses of
counter-terrorism experts, senior police officers and celebrities on
the new year honours list.

Senior figures demanded an exhaustive inquiry into the circumstances
which led to the personal details of more than 1,000 individuals who
will receive awards being posted online by the Cabinet office on
Friday evening.

The list of those whose full home address was available on a
downloadable spreadsheet for at least 30 minutes included nearly 40
people involved in sensitive defence and counter-terrorism work, among
them Scotland Yard’s head of covert counter-terrorism and organised
crime operations and two chief constables.


The list includes a number of serving military personnel alongside
prominent celebrities such as Sir Elton John, cricketer Ben Stokes and
television chef Nadiya Hussain.

A former head of the civil service called on Sunday for a formal
investigation into the error at the Cabinet Office as legal experts
warned of the likelihood of hefty damages claims for distress and the
cost of the extra security necessary to secure the homes of those
affected. Among those who received honours were individuals involved
in securing police stations in Northern Ireland and experts involved
in the aftermath of the Salisbury nerve agent poisonings.

A security source told i that in a “handful” of cases individuals
involved in sensitive intelligence or counter-terrorism work may need
to be relocated while another said that the disclosure of the home
addresses of senior figures working in areas such as defence research
would be “manna from heaven” for the espionage services of China and

'Matter of urgency'

Sir Iain Duncan Smith, the former Cabinet minister who was knighted in
the honours list, described the breach as a “complete disaster”, the
head of the body for chief police officers indicated an urgent
security review was under way.

Martin Hewitt, chairman of the National Police Chiefs’ Council, said:
“We are engaging with relevant governmental departments, including the
Home Office and the Cabinet Office, to ascertain what actions they are
taking to manage the situation, and to see what actions we might need
to take.”

Extra security measures

The Information Commissioner’s Office (ICO) has begun an investigation
into the leak after the Cabinet Office, which oversees the honours
process, referred itself to the data watchdog. The ICO has the power
to impose a hefty fine on the Government for breaching its own data
security rules. Earlier this year the watchdog said it intends to fine
British Airways £183m for the loss of personal data for 500,000

Any eventual fine for the Cabinet Office will sit alongside the likely
cost of compensation claims arising from the disclosure. Richard
Walton, a former head of counter-terrorism at the Yard, said a number
of officers were likely to need extra security measures as a result of
the publication of their home addresses.

Specialist lawyers said celebrities and others affected by the
disclosure would have strong grounds for seeking damages.

Sean Humber, a data breach specialist at law firm Leigh Day, said:
“Those individuals on the list affected by the data breach are likely
to have claims for compensation for unauthorised disclosure of their
personal information, including for any anxiety or distress suffered,
as well as the costs for any reasonable action they now feel they need
to take as a result of the blunder.”

'Unforgivable breach'

Mark Stephens, media and privacy expert at law firm Howard Kennedy,
told i: “This is an unforgivable breach of data protection. The people
adversely affected would be entitled to make a joint claim for
compensation in the High Court.”

A separate legal source said the bill for multiple actions arising
from the disclosure could “easily” reach “low tens of millions” of

The Cabinet Office has insisted that the list of addresses was
published “in error” and removed as soon as possible. Although the
data was only on the department’s website for about 30 minutes late on
Friday, versions of the document were posted on social media. Part of
the work being done in Whitehall this weekend was to try to ascertain
how often the spreadsheet had been downloaded and by whom.

In a statement, the Cabinet Office said: “We apologise to all those
affected and are looking into how this happened. We have reported the
matter to the ICO and are contacting all those affected directly.”

More information about the BreachExchange mailing list