By The Ministry of Defence (MoD) is being fined £350,000 following an email mishap that exposed crucial details about interpreters seeking refuge from Afghanistan.
The breach impacted 265 individuals who had collaborated with the UK government, some of whom were in hiding during the Taliban’s takeover. The Information Commissioner’s Office (ICO) deemed that lives could have been endangered if the exposed data had fallen into the wrong hands.
The MoD acknowledged the severity of the breach, fully accepted the ruling, and extended apologies to the affected parties.
The Information Commissioner, John Edwards, expressed disappointment, stating that the error had let down those to whom the country owed a great deal. He characterized the breach as particularly egregious, justifying the imposed financial penalty.
The incident occurred when the Afghan Relocations and Assistance Policy team (ARAP) mistakenly sent a mass email to 245 individuals eligible for evacuation, including those who had collaborated with the UK government. Subsequently, two respondents unintentionally exposed further information about those attempting to leave Afghanistan by using the “reply all” option.
An internal MoD investigation revealed two similar incidents, bringing the total affected count to 265 individuals, as per the ICO.
The Information Commissioner’s Office highlighted the “Bcc” error as a leading cause of data breaches and found that, between August and September 2021, the MoD failed to adhere to UK data protection requirements concerning technical processes for safeguarding data.
While recognizing the challenging circumstances surrounding the incident, the ICO emphasized that an elevated response is necessary when the risk and harm to individuals increase. The initial £1 million fine was reduced to £700,000, considering the MoD’s efforts to report the incident, mitigate its impact, and the challenges faced by teams managing staff relocation. Further, the ICO reduced the fine to £350,000 as part of an initiative to minimize the impact of government fines on the public.
The MoD stated that it had collaborated extensively with the data watchdog to address the breach and acknowledged the severity of the situation, fully accepting the ruling and expressing apologies to those affected.
