Home Office admits second data breach

An apology has been issued by the Home Office after the department revealed fears of a second breach of UK residents’ data in seven days. 

The potential shortfall comes through accidental sharing of the private details of EU nationals aiming to obtain settled status in Britain.

As the Home Office sought to remedy technical issues, the emails of 240 applicants were “inadvertently” sent to fellow applicants to the scheme, government officials say.

All of those thought to be affected by the incident have been informed via an email which stated:

“We take this opportunity to apologise for any inconvenience caused by this incident. We value your patience and understanding at this time. We would like to reassure you that we are taking this matter very seriously.”

The news comes on the back of an admission made a matter of days ago by the Home Office to a number of the Windrush generation, following the sharing of 500 personal email addresses amid the roll-out of the department’s compensation programme.

Shadow home secretary Dianne Abbot called described the situation as “shambolic”, and pointed out the government’s “mismanagement of the Home Office” being “the most shambolic of all.”

“Data breaches are now a matter of routine, while all those who are unfortunate enough to have to deal with the Home Office face a combination of indifference, incompetence and the hostile environment,” the MP for Hackney North and Stoke Newington said.

EU citizens among those caught up in the breach have said they feel like “second-class citizens”, with one individual criticising the government for not knowing “who was in this country.”

Email recipient and Danish national, Natasha Jung, asked:

“When will the UK wake up and realise that EU citizens are being treated as second-class citizens? We have had zero say in the entire process, despite Brexit affecting us the most.”

Another Danish victim of the breach took to Twitter to vent their disbelief, stating:

“Not only am I not welcome, my own data is not even safe by the government who requested said data because they don’t even know who is in this country!”

Nicolas Hatton, co-founder of the campaign group, the3million, said:

“3.6 million EU citizens are forced to entrust the Home Office with their most sensitive data.

“A data breach within the first week of the settled status launch does raise the question whether the Home Office has the right safeguards in place to keep our data safe.”

Responding via email, the Home Office said that it was taking the matter “very seriously” and that the issue would be addressed via its “agents.”

A department official said:

“In communicating with a small group of applicants, an administrative error was made which meant other applicants’ email addresses could be seen.

“As soon as the error was identified, we apologised personally to the 240 applicants affected and have improved our systems and procedures to stop this occurring again.”

Speaking to GDPR: Report, Egress Software’s CEO, Tony Pepper, elaborated on wider data protection failure highlighted by the episode.

“Incidents like this ‘administrative error’ – such as forgetting to use the Bcc field or sending an email to the wrong person – are unfortunately all-too-common events.

“This news, plus the separate incident at the government department that involved 500 email addresses [demonstrates] the lack of a safety net that could detect and mitigate such errors led to an employee causing a data breach,” Mr Pepper added.

“It’s clear that organisations need to look at implementing more robust risk-based protection tools to avoid such email mis-send incidents, enabling employees to work effectively and securely. With organisations typically prioritising the malicious outsider over the accidental insider threat, the latter has been fundamentally underestimated.

“With intelligently applied machine learning and big data analysis combined with a people-centric approach to technology, it is possible to mitigate against such human errors and enhance organisations’ cybersecurity,” he continued.

To date, over 400,000 EU nationals have applied to settle in the UK under the Home Office’s programme.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.