MoD breach of Afghans’ data ‘could have posed threat to life in Taliban’s hands’

13 December 2023, 00:04

Ministry of Defence sign
MoD. Picture: PA

The details of 265 people were mistakenly copied in to emails sent by the Government, meaning they could be seen by all recipients, the ICO said.

The Ministry of Defence has been fined £350,000 for an “egregious” data breach that exposed the personal information of Afghan nationals seeking to flee to the UK after the Taliban takeover.

Details belonging to 265 people were mistakenly copied in to emails sent by the Government, meaning they could be seen by all recipients, the Information Commissioner’s Office (ICO) found.

This could have led to a “threat to life” if the data disclosed fell into the hands of the Taliban, the data watchdog said.

In response to one email, two people “replied all” with one providing their location to the entire distribution list, which was made up of Afghan citizens eligible for evacuation, according to the ICO.

Under data protection law, organisations should have measures in place to avoid disclosing personal information, and the watchdog advises the use of bulk email services or mail merge to protect details sent electronically.

The ministry’s Afghan Relocations and Assistance Policy (ARAP), which was responsible for assisting the relocation of Afghan citizens who worked for or with the UK Government, had no such measures in place at the time, the ICO said.

It infringed the UK’s General Data Protection Regulation (UK GDPR) as a result and left the security of personal information processed by the ARAP team at “significant risk”, the watchdog found.

The original email was sent on September 20 2021 to vulnerable people left behind after the British airlift from Kabul.

The MoD then launched an internal investigation that revealed two similar breaches on September 7 and September 13 that year, the ICO said.

John Edwards, UK Information Commissioner, said: “This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today.

“While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response.

“I welcome the MoD’s remedial steps taken and its collaboration with my office to ensure its bulk email policies and processes are improved so such errors are not repeated.

“By issuing this fine and sharing the lessons from this breach, I want to make clear to all organisations that there is no substitute for being prepared. Applying the highest standards of data protection is not an optional extra – it is a must, whatever the circumstances.

“As we have seen here, the consequences of data breaches could be life-threatening. My office will continue to act where we find poor compliance with the law that puts people at risk of harm.”

The ICO said that following the breach the ministry had updated the ARAP’s email processes, including implementing a “second pair of eyes” policy for the ARAP team when sending emails to multiple external recipients.

An MoD spokesperson said: “The Ministry of Defence takes its data protection obligations incredibly seriously.

“We have co-operated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened.

“We fully acknowledge today’s ruling and apologise to those affected.

“We have introduced a number of measures to act on the ICO’s recommendations and will share further details on these measures in due course.”

By Press Association

More Technology News

See more More Technology News

Alexander McCartney, 26, has admitted 185 charges involving 70 children

Online predator who drove 12-year-old catfish victim to suicide to be sentenced after admitting 185 charges

Sewell Setzer III and his mother

Boy, 14, 'killed himself after becoming obsessed with Game of Thrones A.I chatbot'

Meta is set to introduce facial recognition technology to crack down on celebrity advert scams

Facebook and Instagram launch technology to crack down on celebrity scam adverts

Tesla used this AI-Generated image at their We, Robot event

Blade Runner 2049 creators sue Elon Musk over AI-generated Robotaxi images

Mark Zuckerberg speaks about Meta AI during the Meta Connect Conference in California in September

Meta AI tools come to UK for first time

Google Stock

US government says it is considering breaking up Google after competition case

A woman’s hand pressing keys on a laptop keyboard

Lack of digital confidence costing people money and job opportunities – study

A person using a laptop

Government opens new competition to find next generation of cybersecurity talent

Exclusive
Ukrainian military learn to fly drones with bombs attached at a special school on May 12, 2023 in Lviv region Ukraine.

Ukraine’s AI-powered drone swarms signal the future of warfare and 'level the playing field' with Russia, report reveals

Web search page with Google

Google ordered to open app store to rivals by US judge

Appeals Centre Europe is an independent body (PA)

Social media users can appeal over content disputes to new settlement body

A close-up of a group of young people looking at mobile phones

Fear of missing out sees girls stay online despite negativity, survey finds

A close up of copper inside electrical cables

Recycling old cables could help provide copper needed for green tech – study

A woman’s hands on a laptop keyboard.

New regulatory office ‘to help new tech reach public faster’

Woman talking on mobile phone and working on laptop

New AI-powered scam detection tool launches

Google screen

Google brings more AI to search engine in ‘significant’ update