The UK’s Information Commissioner’s Office (ICO) has issued a fine of £350,000 to the Ministry of Defence (MoD) for accidentally exposing the email addresses of 265 individuals fleeing Afghanistan in 2021. The exposure of these details over several data breaches, said the ICO, “could have resulted in a threat to life” if the addresses had been disclosed to the Taliban.
The largest such breach took place on 20 September, according to the ICO, when the MoD’s Afghan Relocations and Assistance Policy (ARAP) team sent a single email containing personal data belonging to 245 Afghan nationals to a distribution list of individuals eligible for evacuation to the UK. This email was sent using the “To” instead of the “BCC” field, exposing the email addresses of all its recipients to one another and 55 thumbnail pictures belonging to recipient email accounts. Two individuals then clicked “Reply All” to the message, with one recipient exposing their location. Shortly afterwards, when it became clear that a breach had taken place, the MoD alerted the individuals affected and asked them to delete the message, change their email addresses and make it known to the ARAP team via a secure form.
“This deeply regrettable data breach let down those to whom our country owes so much,” said the UK’s Information Commissioner, John Edwards. “This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today.”
Two similar incidents also took place on 7 September and 13 September 2021, exposing the addresses of 13 and 55 individuals respectively. Multiple instances of the same email address being disclosed eventually resulted in the exposure of 265 unique email addresses.
ICO praises MoD actions since data breach
Since the breaches, the MoD has taken the practical step of imposing a “second pair of eyes” policy to review all emails sent by the ARAP team to multiple individuals, in addition to updating other processes. It has also conducted an internal investigation into the breach and briefed MPs about the incident in a statement to Parliament in September 2021. It was partly in recognition of these actions, said the ICO, that the MoD’s fine had been reduced from a starting sum of £1m to £700,000. The fine was reduced further to £350,000 in deference to the ICO’s “public sector approach” to data breaches, wherein the deterrent effect of financial penalties for breaches is weighed against the material impact such punishments have on ministerial budgets.
An MoD spokesperson reiterated their department’s regret over the breach. “The Ministry of Defence takes its data protection obligations incredibly seriously,” they said. “We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today’s ruling and apologise to those affected.”
This is not the first time the ICO has criticised the MoD for its data protection practices. In July 2022, it reprimanded the department for a backlog of 9,000 Subject Access Requests dating back to March 2020. ICO also condemned the MoD in June of this year for failing to respond to Freedom of Information requests in good time.