ICO fines Ministry of Defence for Afghan evacuation data breach

On 20 September 2021, the MoD sent an e-mail to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 individuals being inadvertently disclosed.

The e-mail addresses could be seen by all recipients, with 55 of those involved having thumbnail pictures on their e-mail profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

The original e-mail was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (ARAP), which is responsible for assisting the relocation of Afghan citizens who worked for – or with – the UK Government in Afghanistan. Should it have fallen into the hands of the Taliban, the data disclosed could have resulted in a threat to life.

Soon after the data breach, the MoD contacted the individuals affected asking them to delete the e-mail, change their e-mail address and inform the ARAP team of their new contact details via a secure form. The MoD also conducted an internal investigation, made a statement in Parliament about the data breach and updated the ARAP’s e-mail policies and processes, including implementing a ‘second pair of eyes’ policy for the ARAP team when sending e-mails to multiple external recipients.

Such a procedure provides a ‘double check’ whereby an e-mail instigated by one member of staff is cross-checked by another.

Data protection law

Under data protection law, organisations must have appropriate technical and organisational measures in place to avoid disclosing people’s information inappropriately.

ICO guidance makes it clear that organisations should use bulk e-mail services, mail merge or secure data transfer services when sending any sensitive personal information electronically. The ARAP team did not have such measures in place at the time of the incident and relied on ‘blind carbon copy’, which carries a significant risk of human error.

Information Commissioner John Edwards explained: “This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office has imposed.”

Edwards continued: “While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that’s no excuse for not protecting the information of individuals who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response.”

Further, Edwards noted: “I welcome the remedial steps taken by the MoD and its collaboration with my office to ensure that its bulk e-mail policies and processes are improved such that errors of this nature are not repeated.”

Edwards went on to conclude: “By issuing this fine and sharing the lessons from this breach, I want to make clear to all organisations that there’s no substitute for being prepared. As we’ve seen here, the consequences of data breaches could be life-threatening. The ICO will continue to act where it finds poor compliance with the law that potentially places people at risk of harm.”