UK Regulator Rebukes Post Office After Horizon Victims’ Information Published Online

Key Takeaways

• Preventable Data Breach: The ICO reprimanded the Post Office after it mistakenly published an un-redacted settlement document exposing personal details of 502 former postmasters.
• Public for Nearly Two Months: The sensitive information remained accessible from April 25 to June 19, 2024, before an external law firm notified the organization.
• Lack of Safeguards: Investigators found no proper review processes, insufficient training, and a failure to implement basic data protection controls.
• Fine Considered but Not Imposed: The ICO initially weighed a penalty of up to £1.094 million but opted for a reprimand under its public sector enforcement approach.
• Remediation Underway: The Post Office has offered compensation, deployed identity protection services, and introduced new publication policies and controls.

Deep Dive

The Information Commissioner’s Office (ICO) has issued a formal reprimand to Post Office Limited after its communications team mistakenly uploaded an un-redacted legal settlement document to the organization’s corporate website. The file (containing the names, home addresses, and postmaster status of 502 individuals involved in the landmark group litigation) was left publicly accessible for nearly eight weeks between April and June 2024.

It wasn’t the Post Office that caught the mistake, but an external law firm.

When investigators looked into the incident, they found that basic safeguards simply weren’t there. The ICO said the organization lacked proper publication checks, clear guidance for staff, and any form of documented approval process for posting documents online. Training on handling sensitive personal information also fell short.

“These individuals had already endured significant hardship and distress as a result of the Horizon IT scandal,” said Sally Anne Poole, Head of Investigations at the ICO. “The postmasters have once again been let down. This breach was entirely preventable and stemmed from a mistake that could have been avoided had the correct procedures been in place.”

The regulator initially considered a fine, up to £1.094 million under the UK’s public sector enforcement framework, but ultimately determined that the failings did not reach the level of being “egregious.” Instead, a reprimand was issued, reflecting the ICO’s focus on raising public sector standards through early engagement and enforcement measures short of financial penalties except in the most serious cases.

Trying to Repair the Damage

In the wake of the breach, the Post Office offered compensation to affected individuals, with most receiving payments already. Identity protection services, including two years of fraud monitoring and dark web surveillance, were also provided to reduce the risk of further harm. The organization contacted search engines to purge cached copies of the document and created a working group to improve internal controls. A new formal publication policy has now been introduced.

While no malicious intent was involved, the ICO stressed that the error revealed something more systemic: a disregard for data protection fundamentals at a time when trust in the Post Office is already deeply fractured.

The regulator said the incident should serve as a warning across the corporate and public sectors. It pointed to key lessons—including the need for proper sign-off procedures for online publications, better classification of sensitive data, and more tailored training for teams responsible for public communications.

Data protection, the ICO warned, is not a back-office obligation. It must be wired into everyday decisions.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.