MoD fined after breach of Afghan staffers’ data put lives at risk

The Ministry of Defence (MoD) has been landed with a £350,000 fine after a series of internal email blunders in September 2021 exposed the personal data of Afghan nationals eligible for evacuation to the UK after the Taliban took control of the country.

The incident originated via the MoD’s Afghan Relocations and Assistance Policy (Arap), which at the time was working flat out to render assistance to Afghan nationals who had worked with British forces and were therefore at risk of reprisals from the Taliban.

Arap emailed a distribution list of Afghan nationals seeking to evacuate using the “To” field with the result that the data of 245 people, including thumbnail profile pictures of 55 of them, was shared to the entire list. Two people then hit “Reply All”, and one of those inadvertently gave up their location.

The ICO rarely fines government and public sector bodies over breaches on the basis, it says, that to do so ultimately increases the burden on the British taxpayer. However, on this occasion, given the risk to life that resulted, it has taken the decision to impose a financial penalty.

“This deeply regrettable data breach let down those to whom our country owes so much,” said information commissioner John Edwards. “This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today.

“While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response.

“By issuing this fine and sharing the lessons from this breach, I want to make clear to all organisations that there is no substitute for being prepared. Applying the highest standards of data protection is not an optional extra – it is a must, whatever the circumstances. As we have seen here, the consequences of data breaches could be life-threatening. My office will continue to act where we find poor compliance with the law that puts people at risk of harm.”

The investigation found that Arap was operating contrary to ICO guidance, which makes it clear organisations must have appropriate technical measures in place to avoid such bulk email data disclosures, such as the use of bulk email services, mail merge or secure data transfers.

Arap had failed to implement any such policies, and was relying on staffers remembering to use the Blind Carbon Copy (BCC) function. Additionally, it said, staff joining the Arap team were relying on the MoD’s broader email policies and received no specific guidance or training relating to the security risks of sending group emails containing sensitive information.

In the wake of the breach, the MoD has embarked on an update of email policies and processes in Arap, including the implementation of a so-called “second pair of eyes” policy to cross-check emails being sent to lists. Computer Weekly understands it has made other changes, although these have not been disclosed at this time, likely to preserve operational security. Its fine has been significantly reduced from an initial £1m on this basis.

An MoD spokesperson said: “The Ministry of Defence takes its data protection obligations incredibly seriously. We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today’s ruling and apologise to those affected.

“We have introduced a number of measures to act on the ICO’s recommendations,” it added.