Share this article on:
The UK Ministry of Defence (MOD) is facing a fine from the Information Commissioner’s Office (ICO) after a data breach led to the details of hundreds of Afghan nationals being compromised, which put their lives at risk.
The personal information of 265 people looking to come to the UK from Afghanistan following the western retreat in 2021 was leaked as part of an “email error”.
“On 20 September 2021, the MOD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed,” said the ICO.
“The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.”
The ICO added that the data that was disclosed could have created a life-threatening situation for those involved had that information reached the hands of the Taliban.
Following the breach, the ICO issued the UK MOD a fine of £350,000 (roughly $666,400), saying that the MOD “did not have operating procedures in place for the ARAP team to ensure group emails were sent securely to Afghan nationals seeking relocation”.
Following the incident, the MOD began an internal investigation, updated ARAP policies regarding emails, and instructed recipients to delete the emails, change their email address and inform them of the new details.
“The Ministry of Defence takes its data protection obligations incredibly seriously. We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today’s ruling and apologise to those affected,” the MOD said.
“We have introduced a number of measures to act on the ICO’s recommendations and will share further details on these measures in due course.”
UK information commissioner John Edwards has said that while the data breach was disappointing, he is pleased with the changes the MOD have announced.
“This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today,” he said.
“I welcome the MOD’s remedial steps taken and its collaboration with my office to ensure its bulk email policies and processes are improved so such errors are not repeated.”