MoD slapped with fine over data breach during Afghanistan evacuation
The Information Commissioner’s Office (ICO) has slapped the Ministry of Defence (MoD) with a hefty fine for a data breach during the 2021 Afghanistan evacuation.
The MoD has been fined £350,000 for disclosing personal information of people seeking relocation to the UK after the Taliban took control of Afghanistan.
Shortly after the Taliban took control of the country, an MoD team in charge of the UK’s Afghan Relocations and Assistance Policy (ARAP) sent an email to a distribution list of Afghan nationals eligible for evacuation.
The email was sent using the ‘To’ field, which meant the personal information relating to 245 people was disclosed. Of those, 55 people had thumbnail pictures on their email profiles and when two replied using the ‘replied all’ option, one had its location visible.
The ICO stated that the data disclosed in this breach, should it have fallen into the hands of the Taliban, “could have resulted in a threat to life.”
Following the breach, the MoD contacted the people affected by asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form.
The MoD also conducted an internal investigation, made a statement in Parliament about the data breach, and updated the ARAP’s email policies and processes.
The original fine was £1m, however it was first reduced to £700,000 to reflect the action the MoD took following the incidents. Under the ICO’s public sector approach, the fine was further reduced to £350,000.
John Edwards, UK Information Commissioner, said: “This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today.”
“By issuing this fine and sharing the lessons from this breach, I want to make clear to all organisations that there is no substitute for being prepared. Applying the highest standards of data protection is not an optional extra – it is a must, whatever the circumstances. As we have seen here, the consequences of data breaches could be life-threatening. My office will continue to act where we find poor compliance with the law that puts people at risk of harm,” Edwards added.
A MoD spokesperson said: “The Ministry of Defence takes its data protection obligations incredibly seriously. We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today’s ruling and apologise to those affected.”
They added: “We have introduced a number of measures to act on the ICO’s recommendations and will share further details on these measures in due course.”