What Happened in the New Year Honours Data Breach?
2019 was a big year for cyber security breaches, and even Christmas couldn’t slow that train, with one last story yet to hit, one that included the breach of personal details for over a thousand new years honours recipients.
The list included the likes of Sir Elton John, TV Cook Nadiya Hussian along with senior police officers and Ministry of Defence staff, making this a major data breach and putting the government’s data protection policies and staff cyber training under serious scrutiny.
The New Years honours list was only supposed to contain the names of individuals, their roles and the honours awarded to them. However, the list mistakenly included their full home addresses and postcodes.
It was published on the Gov.uk website on Friday 27th December instantly generating comments on social media probing the data provided on the list. Although quickly removed by the Cabinet Office within an hour of its publication, the list had been copied and widely shared.
The government could now face legal action from those whose addresses were published, as well as further sanctions from the Information Commissioner Office (ICO).
What should have been a proud and momentous moment in the lives of those to be honoured has now been overshadowed and dampened by the breach of their personal details.
Indeed, any individual who was on the list and is thought to be a raised threat will be visited by the police to offer security advice. It not only tarnishes what should be a truly wonderful day, but it has also caused immense reputational damage to the involved parties too, something that could take months, if not years to rebuild.
Human Error to Blame?
When interviewed on Radio 4, Lord Kerslake, former head of the civil service, suggested ‘human error’ was to blame, questioning whether employees had been given sufficient training on data regulations.
Despite this, lawyers who specialise in data protection believe the ICO will regard this as a less serious case of human error and may let the Cabinet Office escape with a warning about improving its practices. If, however, the ICO decides to make an example of the Cabinet office, they could face a fine of up to £17million under GDPR regulations.
The story is another example of how one thoughtless click of a button can lead to front-page news.
More than individual error though, organisations must do much more from the top downwards to secure their data. Without education and awareness of data protection and regulation, can employees really be made responsible for their cybersecurity habits and attitudes?
It’s easy to point the finger at the individual who published the data, yet if more awareness and training had been instilled throughout the Cabinet Office, the individual responsible may have taken that little step back and thought twice about their actions before they clicked the publish button.
What Needs to Be Done?
Despite most employees striving to do their best, mistakes do happen, and unfortunately, in cases such as this, they can have disastrous consequences for both the organisation and those directly affected. The mistake may not feel like a ‘big deal’ for those unaffected but the same can not be said for the victims.
The information was personal, intruding on the recipients home and family lives. More training and education on data handling is pivotal and individuals need to think more seriously and deeply about how would they feel if personal information about them was made available to the general public.
If employees are unaware or have a lack of education on the risks involved in the handling and protection of data then ultimately it’s not a matter of if a breach will happen, but when a breach will happen.
With over 90% of data breaches occurring as a result of human error, awareness training and education on cyber security has never been as important as it is now.
Disappointingly, investment in awareness training remains at critically low levels in many organisations, despite the fact that the cost of awareness training is a drop in the ocean compared to that of a data breach. In 2019 the average cost of a data breach was £4,180 for small firms, £9,270 for medium firms and £22,700 for large firms in 2019.
The damage doesn’t stop there, however. With data breaches now more publicly reported in the media, organisations also face the footprint of reputational damage, putting doubt and uncertainty amongst the mindset of both current and potential clients.
Want to Avoid Your Organisation Falling Foul of Human Error?
At Bob’s Business, we believe in small changes making big differences.
We’re here to bring cultural change to your organisation so that your workforce is always vigilant to the ever-growing landscape of cyber security threats and can protect business-critical information.
Our cyber security courses:
- Are uniquely designed to help change cyber security cultures within your organisation and reduce the likelihood of your organisation falling victim to cybercrime
- Increase accountability within your organisation
- Offer advanced reporting and help deliver measurable progress
Find out more about our award-winning cyber security awareness training and how we can help instil a culture of cyber security throughout your organisation.
A Personal Note
On a personal note, Bob’s Business would like to express our delight that Nicola Whiting from Titania has been awarded an MBE for her services to International Trade and Diversity, whilst Dr. Emma Philpott, IASME’s Chief Executive Officer, was also awarded an MBE in 2019 for her services to cyber security.