The Information Commissioner’s Office (ICO) has issued the Post Office with a reprimand in relation to a data breach that revealed the personal details of hundreds of Horizon scandal victims.

In June 2024, it emerged that a document containing the personal information of subpostmasters affected by the Post Office scandal had been accidentally published on the Post Office website. It was caused by a human error during a website upgrade.

The Post Office’s communications team mistakenly published an unredacted version of a legal settlement document on its corporate website. The document contained the names and addresses of some 500 former subpostmasters who took part in the 2018/19 High Court Group Litigation Order (GLO) that proved bugs in the Post Office’s Horizon IT system were responsible for accounting losses, for which the victims were blamed and prosecuted.

The ICO said it initially considered a fine of just over £1m, but a formal written notice was deemed more appropriate.

Sally Anne Poole, ICO head of investigations, said: “The ICO did not consider that the data protection infringements identified reached the threshold of ‘egregious’ under its public sector approach, and a reprimand has been issued instead [of a fine].”

She said subpostmasters had been let down again by the Post Office.

Speaking to Computer Weekly after the breach became public last year, Jasvinder Barang, a former subpostmistress and member of the group of affected subpostmasters, questioned the Post Office’s attitude towards the damage the data leak caused.

“I don’t think they’re taking that seriously. We are finding it very, very stressful, and very serious, but they don’t seem to think so,” she said.

Barang said the data breach was just another thing on top of all the stress related to the scandal. “I am absolutely stressed. Not knowing who knows where we live and all the rest of it. It’s not just my safety I am worried about, but my family’s as well.”

The ICO’s Poole added: “The people affected by this breach had already endured significant hardship and distress as a result of the Horizon IT scandal. They deserve much better than this.

“Our investigation highlighted that this data breach was entirely preventable, and stemmed from a mistake that could have been avoided had the correct procedures been in place.”

During a Post Office scandal public inquiry hearing last year, Simon Recaldin, who headed up the Post Office’s Horizon scandal financial redress schemes at the time, was asked whether the “serious data breach” was a “reflection of Post Office culture in any way”.

He said it was not, and blamed the breach on human error. “That was a genuine human error,” said Recaldin. “The Post Office is so sorry it happened. It shouldn’t have happened.”

He said the error had occurred during a website upgrade. “The link to the [GLO] settlement agreement, which was on the website, had broken,” said Recaldin. “They were refreshing the link, and to do this, they had to get the original document to put in there, but they put the unredacted document rather than the redacted document in there.”

A Post Office spokesperson said: “We would like to offer our sincere apologies to those who were affected by this data breach. We deeply regret the impact of the breach on them and understand that it is in addition to their experiences as part of the group litigation in the Horizon IT scandal. Compensation payments have been made to the majority of those affected by this error, which saw the mistaken publication of a document on our website, and we are working through the outstanding offers on a case-by-case basis.

“We have since worked to identify and address where improvements should be made in our processes and controls. These measures have now been implemented and recognised by the ICO.”

Computer Weekly first exposed the Post Office IT scandal in 2009, revealing the stories of seven subpostmasters and the problems they suffered due to Horizon accounting software, which led to the most widespread miscarriage of justice in British history (see below timeline of Computer Weekly articles about the scandal since 2009).

Read more on IT for government and public sector

• 
  

  Police investigation into Post Office scandal to cost more than £50m

  By: Karl Flinders

• 
  

  Subpostmaster federation accepted money from Fujitsu in run-up to High Court Post Office trial

  By: Karl Flinders

• 
  

  Kroll reviewing Post Office Horizon’s current integrity and discrepancy identification

  By: Karl Flinders

• 
  

  Post Office scandal data leak interim compensation offers made

  By: Karl Flinders