UK Information Commissioners’ Office fines Ministry of Defence for revealing the names fo 265 people seeking relocation to the UK from Afghanistan after the Taliban took over.

January 1, 2024 |

A very common form of data breach by government agencies is for an officer, usually mid ranked or lower, to attach a list of names to an email, advertently or inadvertently, and then send the email to the wrong recipient or sending the wrong attachment to the intended recipient.  Another variation I see quite commonly is someone sending an email to a large number of recipients as part of a “Reply All” when the intention was to respond to only one person.  Many of the “Alls” should not have seen the document.   

Before Christmas the UK Information Commissioner fined the Ministry of Defence for releasing via email the names of 265 Afghans seeking relocation to the UK in the wake of the Taliban takeover. Here the email was sent to a distribution list of Afghan nationals releasing personal information of 245 people. The ICO statement provides:

    • Details of 265 people compromised in email data breaches weeks after Taliban took control of Afghanistan in 2021
    • Egregious breach “let down those to whom our country owes so much” – UK Information Commissioner
    • Email error could have resulted in a threat to life

The Information Commissioner’s Office (ICO) has fined the Ministry of Defence (MoD) £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021.

On 20 September 2021, the MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

The original email was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (ARAP), which is responsible for assisting the relocation of Afghan citizens who worked for or with the UK Government in Afghanistan. The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life.

Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form. The MoD also conducted an internal investigation, made a statement in Parliament about the data breach, and updated the ARAP’s email policies and processes, including implementing a ‘second pair of eyes’ policy for the ARAP team when sending emails to multiple external recipients. Such procedure provides a double check whereby an email instigated by one member of staff is cross checked by another.

Under data protection law, organisations must have appropriate technical and organisational measures in place to avoid disclosing people’s information inappropriately. ICO guidance makes it clear that organisations should use bulk email services, mail merge, or secure data transfer services when sending any sensitive personal information electronically. The ARAP team did not have such measures in place at the time of the incident and was relying on ‘blind carbon copy’ (BCC), which carries a significant risk of human error.

Taking into consideration the representations from the MoD, the fine was reduced from a starting amount of £1,000,000 to £700,000 to reflect the action the MoD took following the incidents and recognising the significant challenges the ARAP team faced. Under the ICO’s public sector approach, the fine was further reduced to £350,000. This fine serves as a deterrent to data breaches, ensuring that both the MoD and other organisations have appropriate policies and training in place to minimise the risks of people’s information being inappropriately disclosed via email.

Details of the infringement

The ICO found that the MoD infringed the UK General Data Protection Regulation (UK GDPR), between August and September 2021, by failing to have appropriate technical and organisational measures in place. This failure left the security of personal information processed by the ARAP team at significant risk, in particular by way of disclosure through human error.

In addition to the 20 September 2021 incident, the MoD’s internal investigation found two other similar data breaches, including on 7 September 2021 involving 13 individual email addresses, and on 13 September 2021 involving 55 individual email addresses – both using the ‘To’ field. In some instances, the same email address was involved and so the total number of unique email addresses disclosed was 265.

The ICO investigation found that, at the time of the infringement, the MoD did not have operating procedures in place for the ARAP team to ensure group emails were sent securely to Afghan nationals seeking relocation. Staff joining the ARAP team had to rely on the MoD’s broader email policy and were not given specific guidance about the security risks of sending group emails when communicating sensitive information.





Leave a Reply

Verified by MonsterInsights