UK email mistake put ‘lives at risk’ for Afghans who had worked with British military

The United Kingdom’s Ministry of Defence (MoD) put the lives of Afghans who had helped the British military “at risk” with an email error, according to a monetary penalty notice from the Information Commissioner’s Office (ICO).

The data protection regulator fined the MoD £350,000 ($443,000) last year for exposing data that could have enabled the identification of individuals contacting the British government and seeking to be relocated from the country as the Taliban regained control in 2021. The monetary penalty notice was published on Monday.

This data was exposed when the MoD sent bulk emails using the “TO” field rather than the “BCC” field, according to the ICO. BCC (Blind Carbon Copy) is similar to the CC (Carbon Copy) field in an email except that the recipients of the email are unable to see who has been copied in. The ICO previously had reprimanded a health provider for failing to use BCC to protect the email addresses of those accessing HIV services.

According to the ICO, the MoD’s Afghan Relocations and Assistance Policy (ARAP) team — tasked with relocating individuals from Afghanistan who are at risk of Taliban reprisals for having assisted the British military during the 2001-2021 war — sent three mass emails in 2021 that exposed the identities and risked the lives of 265 individuals.

The affected individuals were subsequently contacted again using BCC and “advised to delete the email, change their email address, and inform the ARAP team of their new contact details using a weblink provided by the MoD.”

The ICO said it considered the appropriate penalty for the data breach to be £1,000,000 ($1.2 million) based on the “nature, gravity and duration” of the data breach, however this was reduced in the light of “the urgent and pressurised circumstances of the evacuation from Afghanistan” and because the MoD is a public sector body.

The effectiveness of the ARAP scheme — which has seen more than 21,000 individuals arrive in the U.K. and sometimes placed into hotels for lack of more suitable accommodation — has been the subject of controversy following the withdrawal of British forces from Afghanistan in 2021.

““We are honouring our commitment to those brave Afghans who supported the UK mission in Afghanistan. So far, we have brought around 24,600 people to safety to the UK, including over 15,600 people from the ARAP scheme, which is one of the most generous of any country, and thousands of Afghans eligible for our resettlement schemes,” an MoD spokesperson said.

At the time of the email data breaches there were believed to be thousands of individuals left in Afghanistan who were eligible to be brought to the U.K. for safety reasons after having assisted the coalition.

In its penalty notice regarding the email breach, the ICO said: “There is no evidence to suggest that the information disclosed was in fact released beyond the distribution list” and that “there is no evidence of actual harm being suffered by the individuals involved.”

A spokesperson for the MoD said the department had introduced a number of measures to act on the ICO’s recommendations.

“The Ministry of Defence takes its data protection obligations incredibly seriously. We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge the ruling and apologise to those affected,” they added.

It comes amid several inquiries into Britain’s withdrawal from Afghanistan, following President Donald Trump’s agreement with the Taliban in February 2020, endorsed by NATO members a month later, before the U.S. withdrawal was finally confirmed by President Joe Biden in April 2021.

As Western forces departed from Afghanistan in August 2021, the Taliban quickly recaptured swathes of the country and the Afghan government and national security forces rapidly collapsed.

The extremist group took control of Kabul on August 15, before U.S. Armed Forces completed their withdrawal on August 30. Thirteen U.S. military personnel were killed during the withdrawal alongside dozens of civilians when two bombs exploded near Kabul airport on August 26.

Undoing almost 20 years of war, the Taliban took power in September. Despite its counter-terrorism pledge to President Trump, the group was found to be sheltering Al Qaeda leader Ayman al Zawahiri — one of the architects of the 9/11 terror attacks, the primary cause of the NATO invasion back in 2001 — who was subsequently killed in a drone strike on his Kabul safehouse.