UK Ministry of Defence fined £350,000 for Afghan evacuation data breach

Data breach affecting 265 people could have “resulted in a threat to life”.

The UK Ministry of Defence (MoD) has been fined £350,000 ($438,333) by the Information Commissioner’s Office (ICO) for an “egregious” data breach in which the MoD disclosed the personal information of 265 individuals.

The information was connected to individuals who sought to relocate to the UK shortly after the Taliban took control of Afghanistan in 2021 – information that “could have resulted in a threat to life” if it had fallen into the hands of the Taliban, according to the ICO.

“This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today”, said John Edwards, Information Commissioner.

Afghan nationals eligible for evacuation

On September 20, 2021, the team in charge of the UK’s Afghan Relocations and Assistance Policy (ARAP) sent an email to 265 Afghan citizens who had worked for or with the UK Government in Afghanistan, and were eligible for evacuation. The email was sent by using the ‘To’ field – instead of blind copying. This inadvertently disclosed personal information as all email addresses could be seen by all recipients, as could the profile pictures of 55 people. Two people also ‘replied all’, and one provided their location.

The ICO’s investigation also found that the MoD infringed the UK GDPR by failing to have adequate technical and organizational measures in place. The ICO said this placed the security of personal information “at significant risk”.

“While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm,” Edwards said.

“This is an unacceptable level of service that has let down the thousands of members of the armed forces and veterans.”

Ben Wallace, former UK Secretary of State for Defence

Close after the data breach, the MoD contacted those affected, and asked them to delete the email, to change their email address, and to submit new contact details to ARAP via a secure form. An internal investigation was also made.

“The Ministry of Defence takes its data protection obligations incredibly seriously. We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognize the severity of what has happened. We fully acknowledge today’s ruling and apologize to those affected,” said a spokesperson at the Ministry of Defence. “We have introduced a number of measures to act on the ICO’s recommendations and will share further details on these measures in due course.”

In a statement in Parliament in September 2021, the then Secretary of State for Defence Ben Wallace said that “extensive steps are to be taken to quantify the potential increased risk to individuals in order to take further steps to protect them”. The ARAP team will also have to follow the ‘second pair of eyes’ policy to cross check emails before sending to multiple external recipients.

“This is an unacceptable level of service that has let down the thousands of members of the armed forces and veterans,” Wallace continued.

More emails breached

In addition to the breach on September 20, 2021, the MoD’s internal investigation also found two other similar breaches occurred that month. On the 7th, 13 individual email addresses were breached, and 55 individual email addresses on the 13th. All were breached by using the ‘To’ field.

Some email addresses were involved in more than once breach, which brings the total number of breached unique email addresses to 265.

The fine was first set at £1,000,000 ($1.25m), but was then lowered to £700,000 ($876,739) in recognition of the actions the MoD had taken after the incidents, as well as acknowledgement of the “significant challenges” the ARAP team faced at the time. The fine was later further reduced to £350,000 ($438,333) under the ICO’s public sector approach

“By issuing this fine and sharing the lessons from this breach, I want to make clear to all organisations that there is no substitute for being prepared. As we have seen here, the consequences of data breaches could be life-threatening. My office will continue to act where we find poor compliance with the law that puts people at risk of harm,” Edwards continued.