MoD fined over data breach that 'could have cost lives'

Poor email hygiene risked the lives of Afghans who worked with UK forces

The fine relates to MoD email hygiene during the evacuation of Afghanistan in 2021

Image:
The fine relates to MoD email hygiene during the evacuation of Afghanistan in 2021

The ICO has fined the Ministry of Defence (MoD) £350,000 for accidentally sharing personal information of Afghan people hoping to relocate to the UK, after the Taliban took over in 2021.

Information commissioner John Edwards, who leads the ICO, said the "deeply regrettable" breach "let down those to whom our country owes so much."

The "challenging" situation on the ground in 2021, when Western forces pulled out of Afghanistan, was "no excuse for not protecting people's information who were vulnerable to reprisal and at risk of serious harm.

"When the level of risk and harm to people heightens, so must the response."

'A threat to life'

The ICO identified three separate data breaches taking place in September 2021, all related to emails sent by the team in charge of the UK's Afghan Relocations and Assistance Policy (ARAP).

The incidents occurred on the 7th, 13th and 20th September. In all cases, the ARAP team sent emails to a distribution list of Afghan nationals eligible for evacuation using the ‘To' field, revealing personal information on 13, 55 and 245 people, respectively.

Because some of these emails were sent to the same people, 265 unique email address were disclosed in total.

In the last and largest breach, 55 people had thumbnail pictures attached to and visible on their email profiles, and two people 'replied all' to the message, with one of them including their location.

'The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life,' the ICO wrote.

After the 20th September incident the MoD contacted those concerned asking them to delete the email, change their email addresses and send their new details to the ARAP team. The Ministry also instituted new policies for sending emails to multiple external recipients.

However, there were no such policies in place at the time of the breaches. The ICO found that the MoD had no operating procedures in place for the ARAP team to ensure group emails were sent securely to Afghan nationals seeking relocation - like bulk email services, mail merge, or secure data transfer services, which ICO guidance recommends.

Responsibility

The MoD accepted responsibility and worked with the ICO in its investigation. In light of that, and the new measures enacted based on the regulator's recommendations, the ICO reduced its initial fine from £1 million to £700,000.

In line with the ICO's public sector approach, the fine was further reduced, by 50%, to a total of £350,000.

"The Ministry of Defence takes its data protection obligations incredibly seriously," a spokesperson. "We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened.

"We fully acknowledge today's ruling and apologise to those affected."