The Information Commissioner’s Office (ICO) on 13 December, 2023, fined the Ministry of Defence (MoD) £350k for data breaches in September 2021 that endangered the lives of 265 Afghan nationals who were already at risk of reprisals for working under the UK government in Afghanistan.
The data breach disclosed the personal information of the individuals while they were seeking relocation from the country under the UK’s Afghan Relocations and Assistance Policy (ARAP) in the wake of the Taliban takeover of Afghanistan.
In an MoD communication from the ARAP team on 20 September 2021 the email addresses of 256 intended Afghan recipients were included in ‘To’ field of the email instead of the ‘BCC’ field, disclosing these email addresses and in 55 cases making visible their thumbnail-photograph portraits.
“The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life,” according to a statement from the ICO.
Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form.
It was later found that two other breaches of this kind had occurred at involving 13 email addresses on 7 September and 55 email addresses on 13 September. Extracting duplicate occurrences, the three breaches span 265 individuals.
“This deeply regrettable data breach let down those to whom our country owes so much.”
John Edwards, UK Information Commissioner
The ICO found the ARAP team to be lacking in measures required by law to avoid disclosing people’s information inappropriately, and that the ARAP team’s dependence on ‘blind carbon copy’ posed a considerable risk of human error.
“This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today,” said John Edwards, UK Information Commissioner.
Taking into account the MoD’s representations, the fine was reduced from a starting amount of £1m to £700k to reflect the action taken by the MoD following the incidents and to recognise the significant challenges faced by the ARAP team. The fine was reduced to £350k under the ICO’s public sector approach.
A Ministry of Defence spokesperson said: “The Ministry of Defence takes its data protection obligations incredibly seriously. We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today’s ruling and apologise to those affected.
“We have introduced a number of measures to act on the ICO’s recommendations and will share further details on these measures in due course.”
Data breach investigation
The breach was mentioned in the House of Commons in an urgent question put forth by MP John Healy on 25 April 2023 to the Defence Secretary at the time, Ben Wallace, who said it would be an understatement to say he was angered by the data breach and initiated an investigation, suspending one staff member until the findings of the investigation were concluded, and putting in place new data security measures.
In a statement in October 2021 from Sean Humber, a specialist data breach lawyer at the legal firm Leigh Day that represents victims of the data breach, Humber said that from the conversations his team have, “had with distressed clients trapped in Afghanistan, these data breaches have made an already extremely difficult situation even worse.”
Humber adds that, “In due course, those affected are likely to have substantial claims for compensation against the Government for the unauthorised release of their personal data and the problems that this has caused.”