Excel pivot table data leak leads to £120,000 fine for London council

Image

London's Royal Borough of Kensington & Chelsea has been fined £120,000 (approximately US $170,000) by the Information Commissioner’s Office (ICO) after it unlawfully identified 943 people who owned vacant properties in the borough. How did the sensitive data leak out? Because of a sloppy understanding of how to wipe information properly out of Excel spreadsheets.

In June 2017, a horrific fire set a 24-storey tower block ablaze in the Royal Borough of Kensington & Chelsea, West London, destroying 151 homes. Despite the best efforts of the emergency services, over 70 people died in the blaze at Grenfell Tower, and hundreds of survivors found themselves with nowhere to live.

Kensington & Chelsea council found itself under intense pressure from the media, with accusations that it had failed to properly respond to safety warnings about the tower block and that its care for surviving residents had fallen short. It's in that climate that the council received three Freedom of Information (FOI) requests for statistics on how many empty properties were in the borough. Responding to the FOI requests, a member of the council produced a pivot table containing a list of named owners against the addresses of empty properties in the borough.

Clearly, it would not have been a good idea to disclose that information because of the risk of the information being exploited by criminals. So, a list was complied of the number of empty properties with the intention that it would be disclosed to those who made the FOI applications. It was then pasted into a new spreadsheet. When a member of the borough's FOI team checked that no data had been included in the new spreadsheet, they scrolled through the cells, clicking once to check for hidden data.

Was that a good enough test? Sadly not. Because the journalists who ultimately received the spreadsheet discovered that double-clicking on any cell revealed the identities of owners of the 943 empty properties' owners and their addresses. As a consequence, a newspaper was able to publish details of some of those who owned empty properties in the area - including a Ukrainian oligarch, a former mayor of New York, and a high-profile luxury property developer.

To make things worse, the entire spreadsheet was published by one of the journalists on an online blog, and one of the property owners exposed by the data breach was distressed to be visited at their home by a journalist. The Information Commissioner's Office hit the Royal Borough of Kensington & Chelsea with a £120,000 fine, explaining that it had failed to take reasonable steps to prevent a data breach from occurring. Kensington and Chelsea Borough Council, which reported the breach to the ICO and cooperated with the inquiry, has been offered a discounted fine of £96,000 if it pays promptly.

It should be remembered that it's not as though it's hard to prevent "hidden data" from an Excel spreadsheet's pivot table from sneaking out. The easiest solution would have been for the council to simply use a text format like a .CSV file that stores information in plain text rather than produce an Excel spreadsheet.

If that's not appropriate for any reason, then policies should be put in place to ensure that any teams responding to a FOI request check a file properly before disclosure. There are certainly lessons here for many other organisations to take great care with the data they share. After all, in this case, it appears a simple double click rather than a single click could have avoided a £120,000 fine.  

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.