Daily Newsletter

13 December 2023

Daily Newsletter

13 December 2023

MoD fined £350k after disclosing personal details of 265 Afghan aides

The Ministry of Defence (MoD) was fined £350k after a 2021 data breach that endangered 265 Afghans who had worked for UK forces and were seeking relocation.

Andrew Salerno-Garthwaite December 13 2023

The Information Commissioner’s Office (ICO) on 13 December, 2023, fined the Ministry of Defence (MoD) £350k for data breaches in September 2021 that endangered the lives of 265 Afghan nationals who were already at risk of reprisals for working under the UK government in Afghanistan. 

The data breach disclosed the personal information of the individuals while they were seeking relocation from the country under the UK's Afghan Relocations and Assistance Policy (ARAP) in the wake of the Taliban takeover of Afghanistan.  

In an MoD communication from the ARAP team on 20 September 2021 the email addresses of 256 intended Afghan recipients were included in 'To' field of the email instead of the 'BCC' field, disclosing these email addresses and in 55 cases making visible their thumbnail-photograph portraits. 

“The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life,” according to a statement from the ICO.

Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form. 

It was later found that two other breaches of this kind had occurred at involving 13 email addresses on 7 September and 55 email addresses on 13 September. Extracting duplicate occurrences, the three breaches span 265 individuals. 

"This deeply regrettable data breach let down those to whom our country owes so much."

John Edwards, UK Information Commissioner

The ICO found the ARAP team to be lacking in measures required by law to avoid disclosing people’s information inappropriately, and that the ARAP team’s dependence on 'blind carbon copy’ posed a considerable risk of human error. 

“This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today,” said John Edwards, UK Information Commissioner. 

Taking into account the MoD's representations, the fine was reduced from a starting amount of £1m to £700k to reflect the action taken by the MoD following the incidents and to recognise the significant challenges faced by the ARAP team. The fine was reduced to £350k under the ICO's public sector approach. 

A Ministry of Defence spokesperson said: “The Ministry of Defence takes its data protection obligations incredibly seriously. We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today's ruling and apologise to those affected. 

“We have introduced a number of measures to act on the ICO's recommendations and will share further details on these measures in due course.” 

Data breach investigation

The breach was mentioned in the House of Commons in an urgent question put forth by MP John Healy on 25 April 2023 to the Defence Secretary at the time, Ben Wallace, who said it would be an understatement to say he was angered by the data breach and initiated an investigation, suspending one staff member until the findings of the investigation were concluded, and putting in place new data security measures. 

In a statement in October 2021 from Sean Humber, a specialist data breach lawyer at the legal firm Leigh Day that represents victims of the data breach, Humber said that from the conversations his team have, “had with distressed clients trapped in Afghanistan, these data breaches have made an already extremely difficult situation even worse.” 

Humber adds that, “In due course, those affected are likely to have substantial claims for compensation against the Government for the unauthorised release of their personal data and the problems that this has caused.”

Analyzing the role of IoT in defense

The applications of IoT in defense are wide-ranging and include health monitoring, AR remote training, gaining situational awareness using drones, vehicle management, target recognition, and many more. For instance, smart sensors can be used on military equipment to give data on their health and whether maintenance is needed. This helps reduce operating costs and downtime for military equipment.

Newsletters by sectors

close

Sign up to the newsletter: In Brief

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Thank you for subscribing

View all newsletters from across the GlobalData Media network.

close