MoD breach of Afghans’ data ‘could have posed threat to life in Taliban’s hands’

13 December 2023, 00:04

Ministry of Defence sign
MoD. Picture: PA

The details of 265 people were mistakenly copied in to emails sent by the Government, meaning they could be seen by all recipients, the ICO said.

The Ministry of Defence has been fined £350,000 for an “egregious” data breach that exposed the personal information of Afghan nationals seeking to flee to the UK after the Taliban takeover.

Details belonging to 265 people were mistakenly copied in to emails sent by the Government, meaning they could be seen by all recipients, the Information Commissioner’s Office (ICO) found.

This could have led to a “threat to life” if the data disclosed fell into the hands of the Taliban, the data watchdog said.

In response to one email, two people “replied all” with one providing their location to the entire distribution list, which was made up of Afghan citizens eligible for evacuation, according to the ICO.

Under data protection law, organisations should have measures in place to avoid disclosing personal information, and the watchdog advises the use of bulk email services or mail merge to protect details sent electronically.

The ministry’s Afghan Relocations and Assistance Policy (ARAP), which was responsible for assisting the relocation of Afghan citizens who worked for or with the UK Government, had no such measures in place at the time, the ICO said.

It infringed the UK’s General Data Protection Regulation (UK GDPR) as a result and left the security of personal information processed by the ARAP team at “significant risk”, the watchdog found.

The original email was sent on September 20 2021 to vulnerable people left behind after the British airlift from Kabul.

The MoD then launched an internal investigation that revealed two similar breaches on September 7 and September 13 that year, the ICO said.

John Edwards, UK Information Commissioner, said: “This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today.

“While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response.

“I welcome the MoD’s remedial steps taken and its collaboration with my office to ensure its bulk email policies and processes are improved so such errors are not repeated.

“By issuing this fine and sharing the lessons from this breach, I want to make clear to all organisations that there is no substitute for being prepared. Applying the highest standards of data protection is not an optional extra – it is a must, whatever the circumstances.

“As we have seen here, the consequences of data breaches could be life-threatening. My office will continue to act where we find poor compliance with the law that puts people at risk of harm.”

The ICO said that following the breach the ministry had updated the ARAP’s email processes, including implementing a “second pair of eyes” policy for the ARAP team when sending emails to multiple external recipients.

An MoD spokesperson said: “The Ministry of Defence takes its data protection obligations incredibly seriously.

“We have co-operated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened.

“We fully acknowledge today’s ruling and apologise to those affected.

“We have introduced a number of measures to act on the ICO’s recommendations and will share further details on these measures in due course.”

By Press Association

More Technology News

See more More Technology News

A person holds an iphone showing the app for Google chrome search engine

Apple and Google ‘should face investigation over mobile browser duopoly’

A Google icon on a smartphone

Firms can use AI to help offset Budget tax hikes, says Google UK boss

Icons of social media apps, including Facebook, Instagram, YouTube and WhatsApp, are displayed on a mobile phone screen

Growing social media app vows to shake up ‘toxic’ status quo

Will Guyatt questions who is responsible for the safety of children online

Are Zuckerberg and Musk responsible for looking after my kids online?

Social media apps on a phone

U16s social media ban punishes children for tech firm failures, charities say

Google shown on a smartphone

US Government proposes forcing Google to sell Chrome to break-up tech empire

The logo for Google's Gemini AI assistant

Google’s Gemini AI gets dedicated iPhone app in the UK for the first time

Facebook stock

EU fines Meta £660m for competition rule breaches over Facebook Marketplace

A phone taking a photo of a phone mast

Government pledges more digital inclusion as rural Wales gets phone mast boost

Social media apps displayed on a mobile phone screen

What is Bluesky and why are people leaving X to sign up?

Someone types at a keyboard

Cyber security chief warns Black Friday shoppers to be alert to scams

MPs

Ministers pressed on excluding Chinese firms from UK’s genomics sector

Child with mobile phone stock

Specially designed smartphone for children launches in the UK

Roblox on a laptop

Children’s gaming platform Roblox makes ‘major update’ to parental controls

An offshore wind farm

Government launches competition to find AI solutions to boost UK clean energy

A Google logo on the screen of a mobile phone

Google partnership with Anthropic AI cleared by competition watchdog