EXCL: Cabinet Office alerted to data breach – and fails to respond for 10 days

Personal details of civil servant and supplier exposed by inadequately redacted document, discovered by PublicTechnology

Credits – Image above: Pxhere /  Image below: Snag Eun Park/Pixabay

The Cabinet Office was this month alerted to a data breach which exposed personal details of a civil servant and a supplier representative. 

The department then failed to acknowledge or address the breach for 10 days – which was finally fixed after the press office was asked for comment. 

This response can be compared with that of the Department of Health and Social Care which – when alerted at the same time to a very similar incident – seemingly began work on fixing the problem very quickly, and responded to provide details of remedial actions to fix the breach, and take steps to ensure it is not repeated in the future.

On 4 November, the Cabinet Office published a contract-award notice providing information on a £5m one-year deal for “cloud support services” awarded to tech consultancy Thoughtworks. The contract relates to ongoing work to modernise government’s security-vetting processes.

“We take any breaches of security extremely seriously. This issue has been resolved and we are taking steps internally to ensure an incident of this nature does not happen again.”
Cabinet Office spokesperson

Attached to the notice was the full contract in PDF form.

Attempts had been made to redact to the document, including the removal of email and mobile-phone contact details of named individuals, as well as the specifics of pricing and other commercial information the department clearly wished to keep under wraps.

However, the contract text containing these details had only been highlighted in black – and not deleted, or otherwise rendered inaccessible. This means it can still be easily read by copying it and pasting it into another document. 


4 November
Date on which personal information was exposed in contract document

11 November
Date on which Cabinet Office data protection officer was notified

22 November
Date on which the breach was addressed, after the press office had been contacted for comment

£50,000
Fine issued to Cabinet Office for New Year 2020 Honours data breach

90%
Amount by which this fine was reduced as part of the ICO’s new approach to working with the public sector


Having discovered the breach, PublicTechnology contacted the dedicated inbox of the department’s data-protection officer at 2.30pm on Friday 11 November, providing details of the incident and enquiring what action might be taken in response.

As of the morning of Monday 21 November – when the press office was contacted to request comment on the incident – no response to this email had been received, and the document containing the exposed personal data was still available online. It was replaced with an updated version – with individuals’ information properly removed this time – the following day.

A spokesperson for the Cabinet Office said: “We take any breaches of security extremely seriously. This issue has been resolved and we are taking steps internally to ensure an incident of this nature does not happen again. The details shared in this document were not of a sensitive nature.”

A familiar issue
While it may now be working to ensure this does not happen again, a near-replica of this incident has occurred before. Two years ago, PublicTechnology discovered a breach in which the Cabinet Office had exposed the personal data of an official and a supplier representative by releasing a contract document in which information had been highlighted, rather than deleted.

On that occasion, an initial email to the data-protection officer remained unanswered, and the breach was only fixed shortly after the press office was alerted.

Exposing personal data via highlighting text, rather than proper redaction, is a familiar issue, having been the cause of several breaches. 

Indeed, at the same time that PublicTechnology initially contacted the Cabinet Office, we also contacted the data-protection officer of the Department of Health and Social Care to notify them that the names and email addresses of civil servants and supplier staff had been published in a contract in which this information was, once again, highlighted, and not removed.

Six days later – by which point the document had been removed from the procurement notice – we received a response indicating that the department had taken steps to “ensure this data was contained and protected as soon as logistically possible”.

The DPO also said that, immediately after being alerted to the breach, officials had “begun the process of reviewing why this occurred and how to ensure appropriate awareness, training and insight is provided to colleagues to ensure the risk of an incident such as this occurring again is minimised”.

The department advised that its communications team had been informed and “so that the quality assurance process currently in place can be enhanced”, and that existing programmes – while they are already “consistent and far-reaching” – will contain some tailored content to address the specific issue behind this latest breach.

Raising standards
The issue in question poses such a common risk that guidance documents from the Information Commissioner’s Office on how public sector officials can disclose information safely attempt to address this issue with detailed advice on the nature of the problem, and how to address it. 

“An author might be tempted to use the highlighter tool to add a black box around text marked for redaction,” the guidance says. “It is important to recognise that the information still exists underneath the black box.”

“Care must be taken when publishing information to avoid inadvertent disclosures. Our website has advice on how to disclose information safely.”
ICO spokesperson

Earlier this year, the ICO announced that it was changing the approach it takes to working with the public sector, and intends to focus more on raising standards – and calling out bad practice, where necessary – but less on financial punishments. As part of this new ethos, the regulator recently revealed it was reducing, from £500,000 to £50,000, the fine being levied on the Cabinet Office for the breach in which personal details of more than 1,000 recipients of the New Year Honours in 2020 were exposed.

In a statement sent to PublicTechnology for this story, an ICO spokesperson said: “We are working with the public sector to ensure people’s information is being looked after, as part of our new approach to working more effectively with public authorities. Care must be taken when publishing information to avoid inadvertent disclosures. Our website has advice on how to disclose information safely.”

 

Sam Trendall

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *