EXCL: Cabinet Office publishes employee and supplier personal info in data breach
Improperly redacted contract included names and mobile phone numbers – which remained publicly available four days after department had been notified of breach
Personal data including names and mobile-phone numbers was published by the Cabinet Office and remained publicly available online for five days, PublicTechnology can reveal.
A contract-award notice published last week on the GOV.UK Contracts Finder site included – as many notices do – the full contract available for download in PDF form. Information on named representatives of the Cabinet Office and the supplier in question, Palantir, was redacted from the 109-page document, as were four full pages of text relating to the services to be delivered.
However, the information in question had not in fact been removed – but merely covered over with a black highlighting tool (pictured below right). The text underneath could be copied and pasted into another document – and email addresses could still be clicked on to automatically launch a new message to the recipient in question.
The deal relates to a £20m engagement for US big data firm to deliver a “border flow management tool”. A representative of the company and a member of the Cabinet Office’s Border and Protocol Delivery group were named in the redacted section as “principal contacts”.
In each case, their name, email address and mobile phone number was published.
PublicTechnology spotted the breach on Friday 23 October – the day after it had been published. The Cabinet Office data-protection officer was contacted at 4.15pm on Friday to alert them to the breach.
The contract then remained available for download online throughout the weekend and the whole of Monday. It was finally removed shortly before midday on Tuesday – about two hours after the press office had also been contacted requesting comment.
PublicTechnology asked the Cabinet Office to clarify whether the affected individuals had been notified and if the breach had been reported to the Information Commissioner’s Office. We also enquired whether the breach had been the result of technological fault or human error, as well as why it had taken so long after notification of the breach for the information to be removed.
The department indicated that the breach has been logged internally, and that Palantir has also been notified.
A spokesperson added: "We have taken down the contract that included information published in error. Due to the nature of the information, the Cabinet Office is satisfied no further action is required.”
No indication was provided on how the breach occurred, nor any comment on why it took so long after the data-protection officer had been notified for the data to be unpublished.
The ICO has published a guide for public-sector organisations titled How to disclose information safely – Removing personal data from information requests and datasets.
The document specifically warns against the use of highlighter tools as a means of redaction of personal information from digital documents – as it can equate to simply “hiding data in plain sight”.
“An author might be tempted to use the highlighter tool to add a black box around text marked for redaction,” the guidance says. “It is important to recognise that the information still exists underneath the black box in the original electronic file.”
The latest breach comes after a year in which the Cabinet Office’s data-protection regime – and its shortcomings – has come under close scrutiny. At the beginning of 2020, the department accidentally published the home addresses of hundreds of people recognised in the New Year honours list, including celebrities such as Elton John, Nadiya Hussain and Ben Stokes.
Following this incident, the department subjected itself to an independent review of its data-handling processes. This exercise concluded in April and found that, while the Cabinet Office had “adequate guidance and policies”, there were “concerning lapses” in procsesses and behaviour, and the implementation of rules and advice.
"Due to the nature of the information, the Cabinet Office is satisfied no further action is required."
The review made six main recommendations: enhance accountability and governance; reward the right behaviours and recognise skills; confirm a new data strategy; be transparent on progress; refresh training and guidance; and establish consistent standards and technology controls.
To support the implementation of these recommendations, the Cabinet Office published a contract notice in August seeking a commercial partner to help “mobilise a programme to respond to the findings” of the review.
A budget of £2.25m was set aside to work with the chosen supplier to deliver this programme – which was due to commence around mid-September and conclude by the end of this year. It is not clear whether this programme is now underway, but a contract-award notice confirming the appointment of a supplier is yet to be published.
Lord Evans tells MPs that personal messaging platforms should only be used by ministers if doing so can be properly regulated
Improvements to pass system will attempt to address ‘potential security vulnerability’
Regulator updates guidance after introduction of new measures
Committee publishes damning report on scheme it claims is five years behind schedule and hundreds of millions of pounds over budget