The data breach happened over two years ago, on 20 September 2021, when the MoD sent a bulk email to a list of Afghan nationals eligible for evacuation. However, when sending the correspondence, the “To” field was used, resulting in the personal information of 245 people being inadvertently disclosed.
Recipients could not only see others’ email addresses, but 55 people also had thumbnail photos for their email accounts. Further, two individuals replied using the “Reply to All” function, with one of them providing their geographical location.
The email was sent by the team in charge of the UK’s Afghan Relocations and Assistant Policy (ARAP), whose responsibility is for assisting with the relocation of Afghan nationals who worked for or with the UK Government. The ICO said that if the data had been obtained by the Taliban, it “could have resulted in a threat to life.”
Soon after the breach, the MoD contacted the affected individuals, asking them to delete the email, change email addresses, and inform ARAP of their new details via a secure form. An internal investigation was also conducted, alongside a statement made in Parliament.
The internal investigation found two similar data breaches had taken place—one on 7 September 2021 involving 13 individual email addresses, and another on 13 September 2021 involving 55 individual email addresses. In total, 265 unique emails were involved in the three breaches, as in some instances the same email address was involved.
The incidents have since led to the updating of ARAP’s email policies and processes, and the implementation of a “second pair of eyes” policy to double-check when sending emails to external groups of people.
The fine for the 20 September 2021 breach was reduced from its starting point of £1 million to £700,000, due the action the MoD had subsequently taken and in light of the challenges the ARAP team faced. It was further reduced to £350,000 under the ICO’s public sector approach, which serves as a deterrent to public sector departments, organisations, and groups.
Recommended reading
Speaking on the fine and the ICO’s decision-making, John Edwards, the information commissioner, said: “This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today.
“While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response.
“I welcome the MoD’s remedial steps taken and its collaboration with my office to ensure its bulk email policies and processes are improved so such errors are not repeated.
“By issuing this fine and sharing the lessons from this breach, I want to make clear to all organisations that there is no substitute for being prepared. As we have seen here, the consequences of data breaches could be life-threatening. My office will continue to act where we find poor compliance with the law that puts people at risk of harm.”
