Information commissioner John Edwards, who leads the ICO, said the “deeply regrettable” breach “let down those to whom our country owes so much.”
The “challenging” situation on the ground in 2021, when Western forces pulled out of Afghanistan, was “no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm.
“When the level of risk and harm to people heightens, so must the response.”
‘A threat to life’
The ICO identified three separate data breaches taking place in September 2021, all related to emails sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (ARAP).
The incidents occurred on the 7th, 13th and 20th September. In all cases, the ARAP team sent emails to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, revealing personal information on 13, 55 and 245 people, respectively.
Because some of these emails were sent to the same people, 265 unique email address were disclosed in total.
In the last and largest breach, 55 people had thumbnail pictures attached to and visible on their email profiles, and two people ‘replied all’ to the message, with one of them including their location.
‘The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life,’ the ICO wrote.
After the 20th September incident the MoD contacted those concerned asking them to delete the email, change their email addresses and send their new details to the ARAP team. The Ministry also instituted new policies for sending emails to multiple external recipients.
However, there were no such policies in place at the time of the breaches. The ICO found that the MoD had no operating procedures in place for the ARAP team to ensure group emails were sent securely to Afghan nationals seeking relocation – like bulk email services, mail merge, or secure data transfer services, which ICO guidance recommends.
Responsibility
The MoD accepted responsibility and worked with the ICO in its investigation. In light of that, and the new measures enacted based on the regulator’s recommendations, the ICO reduced its initial fine from £1 million to £700,000.
In line with the ICO’s public sector approach, the fine was further reduced, by 50%, to a total of £350,000.
“The Ministry of Defence takes its data protection obligations incredibly seriously,” a spokesperson. “We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened.
“We fully acknowledge today’s ruling and apologise to those affected.”
Wanda Parisien is a computing expert who navigates the vast landscape of hardware and software. With a focus on computer technology, software development, and industry trends, Wanda delivers informative content, tutorials, and analyses to keep readers updated on the latest in the world of computing.
