MoD fined for 'reply all' email blunder that risked Afganistan interpreters' lives as they fled the Taliban
13 December 2023, 06:24
The Ministry of Defence has been fined £350,000 for an email mistake that exposed the personal information of Afghans fleeing the Taliban in 2021.
Listen to this article
Loading audio...
The personal details of 265 people were copied into government emails by mistake, which meant everyone who was sent the messages could see them, an investigation found.
That could have risked their lives if the Taliban got hold of the data, the Information Commissioner's Office (ICO) said.
The error came when two people "replied all" in response to an email, which gave everyone copied in their location. The distribution list was Afghan citizens who were eligible for evacuation, according to the data watchdog.
According to data protection laws, organisations like the MoD should have measures in place to avoid disclosing personal information.
Read more: Taliban announces ban on women attending universities in Afghanistan
The ICO advises against the use of bulk email services or mail merge to protect details sent electronically.
The government's Afghan Relocations and Assistance Policy (ARAP) did not have these measures, the ICO said.
That meant it broke GDPR rules and left the Afghans' personal information at "significant risk", the watchdog found.
The original email was sent on September 20 2021 to vulnerable people left behind after the British airlift from Kabul, the capital of Afghanistan.
Two similar breaches on September 7 and September 13 that year were revealed by an internal MoD investigation.
John Edwards, UK Information Commissioner, said: "This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today.
Afghanistan evacuees join Rachel Johnson to detail their experience living under Taliban rule
"While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people's information who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response.
"I welcome the MoD's remedial steps taken and its collaboration with my office to ensure its bulk email policies and processes are improved so such errors are not repeated.
"By issuing this fine and sharing the lessons from this breach, I want to make clear to all organisations that there is no substitute for being prepared. Applying the highest standards of data protection is not an optional extra - it is a must, whatever the circumstances.
"As we have seen here, the consequences of data breaches could be life-threatening. My office will continue to act where we find poor compliance with the law that puts people at risk of harm."
Teacher trapped in Afghanistan asks: 'Are you going to rescue us from the government?'
An MoD spokesperson said: "The Ministry of Defence takes its data protection obligations incredibly seriously.
"We have co-operated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened.
"We fully acknowledge today's ruling and apologise to those affected.
"We have introduced a number of measures to act on the ICO's recommendations and will share further details on these measures in due course."
