Ministry of Defence breach of Afghans’ data ‘could have posed threat to life in Taliban’s hands’

British soldiers on patrol in Afghanistan.
British soldiers were aided by interpreters in Afghanistan. Credit: PA

The Ministry of Defence has been fined £350,000 for an “egregious” data breach that exposed the personal information of Afghan nationals seeking to flee to the UK after the Taliban takeover.

Details belonging to 265 people were mistakenly copied in to emails sent by the government, meaning they could be seen by all recipients, the Information Commissioner’s Office (ICO) found.

This could have led to a “threat to life” if the data disclosed fell into the hands of the Taliban, the data watchdog said.

In response to one email, two people “replied all” with one providing their location to the entire distribution list, which was made up of Afghan citizens eligible for evacuation, according to the ICO.

The Ministry of Defence, in London. Credit: PA

Under data protection law, organisations should have measures in place to avoid disclosing personal information, and the watchdog advises the use of bulk email services or mail merge to protect details sent electronically.

The ministry’s Afghan Relocations and Assistance Policy (ARAP), which was responsible for assisting the relocation of Afghan citizens who worked for or with the UK government, had no such measures in place at the time, the ICO said.

It infringed the UK’s General Data Protection Regulation (UK GDPR) as a result and left the security of personal information processed by the ARAP team at “significant risk”, the watchdog found.

The original email was sent on September 20, 2021, to vulnerable people left behind after the British airlift from Kabul.

The MoD then launched an internal investigation that revealed two similar breaches on September 7 and September 13 that year, the ICO said.

John Edwards, UK Information Commissioner, said: “This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today.

“While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response.

“I welcome the MoD’s remedial steps taken and its collaboration with my office to ensure its bulk email policies and processes are improved so such errors are not repeated.

“By issuing this fine and sharing the lessons from this breach, I want to make clear to all organisations that there is no substitute for being prepared. Applying the highest standards of data protection is not an optional extra – it is a must, whatever the circumstances.

“As we have seen here, the consequences of data breaches could be life-threatening. My office will continue to act where we find poor compliance with the law that puts people at risk of harm.”

The ICO said that following the breach the ministry had updated the ARAP’s email processes, including implementing a “second pair of eyes” policy for the ARAP team when sending emails to multiple external recipients.

An MoD spokesperson said: “The Ministry of Defence takes its data protection obligations incredibly seriously.

“We have co-operated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today’s ruling and apologise to those affected.

“We have introduced a number of measures to act on the ICO’s recommendations and will share further details on these measures in due course.”

Want a quick and expert briefing on the biggest news stories? Listen to our latest podcasts to find out What You Need To Know...