UK government admits Windrush Generation data breach

The government has come clean over a data protection breach that took place when the Windrush compensation programme was initiated.

The breach came about when the Home Office sent information to Windrush migrants, inadvertently exposing the recipients’ email addresses in the process.

An investigation has now been launched into the problem, and the Information Commissioner’s Office has been brought into the equation to get to the bottom of any data law violations that may have taken place.

The Minister for Immigration, Caroline Nokes issue an unreserved apology for the “administrative error” that resulted in a data breach which adversely impacted five groups of emails. Each group comprised 100 recipients, Ms Nokes explained

Among the victims of the breach were Windrush migrants and others who had requested updates regarding the recently-launched compensation programme.

Speaking to GDPR: Report, Egress Software CEO, Tony Pepper, said:

“When this accidental incident occurred, there was no safety net and no way of alerting the sender of the mistake. This is a common error that we’ve also seen in our recent research, where 45% of employees who accidentally shared information sent it to the wrong person.

Commenting on a potential cause of the error, Mr Pepper said:

“Traditional solutions to prevent inbound and outbound data breaches – such as firewalls, endpoint security, encryption and malware scanning – have little to no impact on accidental incidents, as they can’t stop someone from doing something like sending an email to multiple recipients using To/Cc instead of Bcc. This is because they can’t tell the difference between ‘good’ and ‘bad’ user behaviour (whether accidental or malicious).

“While organisations typically prioritise the malicious outsider over the accidental insider threat, the latter has been fundamentally underestimated,” he added.

Mr Pepper also underlined how technology can be employed to mitigate against similar problems in future:

“With intelligently applied machine learning and big data analysis combined with a people-centric approach to technology and awareness programmes, it is possible to mitigate against such human errors and enhance organisations’ cybersecurity,” he said.

The Windrush generation is made up of around 500,000 individuals presently living in the UK, who arrived on these shores between 1948 and 1971 from Commonwealth countries such as the Caribbean. The name is taken from the Windrush ship which transported workers to the UK in 1948.

Those who arrived during that time were given indefinite leave to remain in the UK back in 1971, but thousands of children also travelled over to Britain on their parents’ passports.

Many of these children eventually found it difficult to officially consolidate their status as residents of the UK. These problems were exacerbated by changes to immigration law in 2012, which forced individuals without official documentation to provide evidence of their residency in order to continue living and using services in the UK.

Some members of the Windrush Generation were detained or deported even after having lived in the UK for many years, treatment which has since prompted a furious public backlash.


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.