ICO News

ICO fines MoD £350,000 for Afghan evacuation data breaches – Tech Monitor


The UK’s Information Commissioner’s Office (ICO) has issued a fine of £350,000 to the Ministry of Defence (MoD) for accidentally exposing the email addresses of 265 individuals fleeing Afghanistan in 2021. The exposure of these details over several data breaches, said the ICO, “could have resulted in a threat to life” if the addresses had been disclosed to the Taliban.

A photo of a black plaque reading "Ministry of Defence," used to illustrate a news story about a fine issued by ICO for a data breach by the department in 2021.
The ICO praised the MoD for the remedial actions it had taken since a data breach that saw the email addresses of 256 Afghan nationals exposed. (Photo by William Barton / Shutterstock)

The largest such breach took place on 20 September, according to the ICO, when the MoD’s Afghan Relocations and Assistance Policy (ARAP) team sent a single email containing personal data belonging to 245 Afghan nationals to a distribution list of individuals eligible for evacuation to the UK. This email was sent using the “To” instead of the “BCC” field, exposing the email addresses of all its recipients to one another and 55 thumbnail pictures belonging to recipient email accounts. Two individuals then clicked “Reply All” to the message, with one recipient exposing their location. Shortly afterwards, when it became clear that a breach had taken place, the MoD alerted the individuals affected and asked them to delete the message, change their email addresses and make it known to the ARAP team via a secure form. 

“This deeply regrettable data breach let down those to whom our country owes so much,” said the UK’s Information Commissioner, John Edwards. “This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today.” 

Two similar incidents also took place on 7 September and 13 September 2021, exposing the addresses of 13 and 55 individuals respectively. Multiple instances of the same email address being disclosed eventually resulted in the exposure of 265 unique email addresses.

Readers Also Like:  Balanced attack paves the way for Weymouth’s win in the Ico Cup finals - Boston Herald

ICO praises MoD actions since data breach

Since the breaches, the MoD has taken the practical step of imposing a “second pair of eyes” policy to review all emails sent by the ARAP team to multiple individuals, in addition to updating other processes. It has also conducted an internal investigation into the breach and briefed MPs about the incident in a statement to Parliament in September 2021. It was partly in recognition of these actions, said the ICO, that the MoD’s fine had been reduced from a starting sum of £1m to £700,000. The fine was reduced further to £350,000 in deference to the ICO’s “public sector approach” to data breaches, wherein the deterrent effect of financial penalties for breaches is weighed against the material impact such punishments have on ministerial budgets. 

An MoD spokesperson reiterated their department’s regret over the breach. “The Ministry of Defence takes its data protection obligations incredibly seriously,” they said. “We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today’s ruling and apologise to those affected.”

This is not the first time the ICO has criticised the MoD for its data protection practices. In July 2022, it reprimanded the department for a backlog of 9,000 Subject Access Requests dating back to March 2020. ICO also condemned the MoD in June of this year for failing to respond to Freedom of Information requests in good time. 

Content from our partners
How businesses can thrive in the age of generative AI

AI is transforming efficiencies and unlocking value for distributors

Collaboration along the entire F&B supply chain can optimise and enhance business



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.