The Ministry of Defence is fined £350,000 over leak

The Ministry of Defence is fined £350,000 over leak which could have endangered the lives of Afghans who worked for the UK in the war against the Taliban

The Ministry of Defence has been fined £350,000 after an extraordinary data blunder that could have threatened the lives of dozens of Afghans who worked for Britain in the war with the Taliban.

In a damning judgement, the UK’s Information Commissioner John Edwards said the ‘egregious’ data breach ‘let down those to whom our country owes so much’, potentially endangering the lives of 265 Afghans, who had entrusted their personal details to the MOD hoping for sanctuary.

The breach took place in September 2021, weeks after the Taliban swept into Kabul and the end of the UK’s Operation Pitting evacuation as desperate former frontline interpreters and other Afghans sought help from Britain to escape.

This newspaper’s award-winning Betrayal of the Brave campaign highlighted at the time how the MOD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed.

The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

In a damning judgement, the UK’s Information Commissioner John Edwards said the ‘egregious’ data breach ‘let down those to whom our country owes so much’, potentially endangering the lives of 265 Afghans, who had entrusted their personal details to the MOD hoping for sanctuary (file image of armed Taliban security personnel in Kabul)

This newspaper’s award-winning Betrayal of the Brave campaign highlighted at the time how the MOD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed

The original email was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (ARAP), which is responsible for assisting the relocation of Afghan citizens who worked for or with the UK Government in Afghanistan.

News of the breach sparked outrage and panic among the former translators, amid fears the details would fall into the hands of the Taliban, who had sworn revenge on the ‘traitors’ who worked for Britain.

One ex-interpreter warned it could be ‘a death sentence’, another accused the MOD of ‘catastrophic failure.’

READ MORE: Up to 4,500 Afghans who helped British armed forces in war against the Taliban are ‘still to arrive in the UK’, Defence Minister admits

Soon after the data breach, the MoD desperately contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form. New regulations and safeguards were put in place to ensure there was no repeat of the error.

During the internal investigation, the MOD discovered there had been two earlier similar breaches of data in the days after UK forces left Kabul involving 68 individual email addresses.

The original ICO fine had been £1million but was reduced to £700,000 and then £350,000 in recognition of the changes made by the MOD and the fact it had been an difficult, fast-moving situation in Afghanistan with Britain trying to help those most at risk.

Explaining the substantial fine, Mr Edwards said: ‘This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty.

‘While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response.’

He added: ‘I want to make clear to all organisations that there is no substitute for being prepared. Applying the highest standards of data protection is not an optional extra – it is a must, whatever the circumstances. 

Last night Ullah, 34, a former translator, whose personal details were compromised, said: ‘I was frightened and furious, we were in hiding, under massive stress – this made it worse, remember the Taliban had killed several interpreters and others had been tortured’ (file image of a Taliban fighter)

‘As we have seen here, the consequences of data breaches could be life-threatening. My office will continue to act where we find poor compliance with the law that puts people at risk of harm.’

Under data protection law, organisations must have appropriate technical and organisational measures in place to avoid disclosing people’s information inappropriately.

ICO guidance makes it clear that organisations should use bulk email services, mail merge, or secure data transfer services when sending any sensitive personal information electronically.

READ MORE: Hundreds of Afghan special forces who fought alongside UK troops before fleeing to Pakistan after war face being deported back to their Taliban-controlled homeland

The ARAP team did not have such measures in place at the time of the incident and was relying on ‘blind carbon copy’ (BCC), which carries a significant risk of human error.

The ICO found that the MoD infringed the UK General Data Protection Regulation (GDPR), between August and September 2021, by failing to have appropriate technical and organisational measures in place.

Last night Ullah, 34, a former translator, whose personal details were compromised, said: ‘No one could believe how this mistake could have happened when our lives were so obviously at risk.

‘I was frightened and furious, we were in hiding, under massive stress – this made it worse, remember the Taliban had killed several interpreters and others had been tortured.’

Ullah, who was shot on the frontlines while working with the UK and has now been relocated with his family, added: ‘This must never happen again because many Afghans are still hoping to come to Britain and if their personal details were compromised it could be fatal.’

A MOD spokesman said: ‘The Ministry of Defence takes its data protection obligations incredibly seriously. We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today’s ruling and apologise to those affected.

‘We have introduced a number of measures to act on the ICO’s recommendations and will share further details on these measures in due course.’

Source: Read Full Article