UK defence ministry fined for Afghan data breach

A total of 245 people had their details inadvertently disclosed, 55 of whom had thumbnail pictures on their email profiles

Published - December 13, 2023 07:00 am IST - London

The UK defence ministry has been fined £350,000 ($440,000) for disclosing personal information of 265 Afghans seeking to flee the Taliban, a data watchdog announced on Wednesday.

"This deeply regrettable data breach let down those to whom our country owes so much," said UK data commissioner John Edwards.

The error saw the email addresses of hundreds of people, including Afghan interpreters potentially eligible for relocation to Britain, openly included in the "to" field, rather than blind copied.

It first came to light in September 2021, soon after the Taliban takeover of Afghanistan, and the chaotic efforts to evacuate vulnerable people from the country.

Ben Wallace, who was defence minister at the time, apologised and disclosed that one official had been suspended.

Britain's Afghanistan evacuation plan has been widely criticised, with the government accused by MPs of "systemic failures of leadership, planning and preparation".

Hundreds of Afghans eligible for relocation were left behind, many with their lives potentially at risk after details of staff and job applicants were left at the abandoned British embassy in Kabul.

In his ruling, Edwards said "very challenging" conditions on the ground and fast-paced decision-making were no excuse for not protecting personal information.

Those affected "were vulnerable to reprisal and at risk of serious harm," he added. "When the level of risk and harm to people heightens, so must the response."

A total of 245 people had their details inadvertently disclosed, 55 of whom had thumbnail pictures on their email profiles.

Two people "replied all" to all recipients and one included their location, Edwards' office said.

"The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life," it added in a statement.

Recipients were told to delete the email, change their email address and tell the team in charge of relocations of their new details via a secure form.

Two other data breaches were discovered during the investigation. A total of 265 people were affected in all three incidents.

In response, the Ministry of Defence acknowledged the seriousness of the breach and said it had overhauled its procedures.

The ICO said it reduced the fine from £1,000,000 to £700,000 because of the MoD's immediate response to the error, then cut it further as it is a public body.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.