UK Ministry of Defence fined $440K for Afghan evacuation data breach

The United Kingdom’s Ministry of Defence has been fined £350,000 (about $440,000) for its failure to protect the information of Afghans who worked with the British government and sought relocation shortly after the Taliban took control of Afghanistan in 2021.

The Information Commissioner’s Office (ICO) said it is issuing the fine because the mistake “could have resulted in a threat to life.”

“This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today,” said U.K. Information Commissioner John Edwards.

“While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people's information who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response.”

The fine relates to a mistake that occurred on September 20, 2021, when the Defence Ministry sent an email with personal information relating to 245 people to a list of Afghan nationals eligible for evacuation.

The email addresses could be seen by all of the recipients and 55 people had thumbnail pictures connected to their email addresses. Two people replied all to the email and one inadvertently provided their location.

The email was intended for the U.K.'s Afghan Relocations and Assistance Policy (ARAP) — the organization in charge of relocating Afghan citizens who worked for or with the U.K. government in Afghanistan.

The ICO said that the information in the email list, if provided to the Taliban, put lives in danger.

The Ministry of Defence realized the error and asked recipients to delete the email, change their email address, and contact ARAP with new contact details. They conducted an investigation and Ben Wallace, secretary of state for Defence, appeared before Parliament to apologize for the fiasco.

Wallace told lawmakers that they updated ARAP’s email policies and will have a “second pair of eyes” rule that mandates emails are reviewed before being sent to external recipients.

The ICO noted that the ARAP team violated the U.K.’s data protection law because it did not use bulk email services, mail merge, or secure data transfer services when sending sensitive personal information electronically.

Instead, ARAP relied on ‘blind carbon copy,’ which the ICO said carries a significant risk of human error.

Two other data breaches were discovered, including one on September 7, 2021 involving 13 email addresses and another six days later involving 55 email addresses. The ICO investigation found that the ARAP team “had to rely on the MoD’s broader email policy and were not given specific guidance about the security risks of sending group emails when communicating sensitive information.”

A Ministry of Defense spokesperson said the agency has cooperated with the ICO throughout its investigation and they “recognize the severity of what has happened.”

“We fully acknowledge today's ruling and apologize to those affected. We have introduced a number of measures to act on the ICO's recommendations and will share further details on these measures in due course,” the spokesperson said.

The fine was reduced from £1,000,000 to £700,000 (about $879,000), according to the spokesperson, before it was halved because the fine impacts the public sector.

The ICO’s Edwards added that applying the highest standards of data protection is “not an optional extra — it is a must, whatever the circumstances.”

“As we have seen here, the consequences of data breaches could be life-threatening,” he said. “My office will continue to act where we find poor compliance with the law that puts people at risk of harm.”

In his answers to Parliament, Wallace said more than 8,800 people and families eligible under the ARAP scheme were evacuated from April to September.

While Wallace was unable to say whether the incoming Taliban government was monitoring emails, several lawmakers referenced individual cases where those who applied for evacuation were denied and eventually attacked by Taliban forces.

“I have been contacted about the harrowing case of a man who worked as a UK contractor on a UK project for many years and had a specific directed threat from a senior Taliban official. He fled his home with his family, but when his wife returned to the house to collect some belongings a few days ago, the Taliban arrived and she was shot in the head,” lawmaker Yvette Cooper said.

“She died a couple of days later. The man applied twice for the ARAP scheme and has still not had a reply.”