The U.K.’s Ministry of Defence has been fined £350,000 by the Information Commissioner’s Office for disclosing the personal data of people evacuated from Afghanistan.
Soon after the Taliban took control of Afghanistan in 2021, the MoD sent an email to a distribution list of Afghan nationals eligible for evacuation. However, the email addresses could be seen by all recipients, with personal information relating to 245 people being inadvertently revealed.
Fifty-five people had thumbnail pictures on their email profiles, and two people ‘replied all’ to the entire list of recipients, with one of them giving their location.
Under U.K. data protection law, organizations must have appropriate technical and organizational measures in place to avoid disclosing people’s information inappropriately. This, says the ICO, means they should use bulk email services, mail merge, or secure data transfer services when sending any sensitive personal information electronically.
This email, by contrast, relied on blind carbon copy—and something appears to have gone wrong.
“This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today,” said information commissioner John Edwards.
“While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response.”
The email was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy, which is responsible for assisting the relocation of Afghan citizens who worked for or with the U.K. government in Afghanistan. This team, the ICO found, wasn’t given specific guidance about the security risks of sending group emails when communicating sensitive information.
And, says the ICO, if the data had fallen into the hands of the Taliban, it could have resulted in a threat to life.
When the data breach was discovered, the MoD contacted those affected asking them to delete the email, change their email address, and give the ARAP team their new contact details via a secure form. It conducted an internal investigation, made a statement in Parliament about the data breach, and updated email policies and processes, including making sure that every email was checked by a second pair of eyes.
During the investigation, it was discovered that two other similar data breaches had taken place.
However, because the MoD was deemed to have responded effectively, the potential fine was reduced from an initial £1 million.
“The Ministry of Defence takes its data protection obligations incredibly seriously. We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today’s ruling and apologise to those affected,” says a Ministry of Defence spokesperson in a statement.
“We have introduced a number of measures to act on the ICO’s recommendations and will share further details on these measures in due course.”