The Ministry of Defence (MoD) has been fined £350,000 for a serious email mistake that exposed the personal details of interpreters fleeing Afghanistan. The breach affected 265 individuals who had worked with the UK government, some of whom were in hiding when the Taliban took control. The Information Commissioner’s Office (ICO) stated that lives could have been at risk if the data had fallen into the wrong hands. The MoD has accepted the severity of the breach, acknowledged the ruling, and apologized to the victims. The ICO’s investigation found that the breach occurred when the Afghan relocations and assistance policy team (Arap) sent a mass email to eligible individuals, but mistakenly put their addresses in the “to” field instead of the blind carbon copy (Bcc) field. This meant that email addresses were visible to all recipients. Further information about those trying to leave Afghanistan was exposed when two people responded to the email by selecting “reply all”. The ICO highlighted that the Bcc error is one of the leading causes of data breaches. An interpreter affected by the breach expressed concern that it could cost lives, especially for those still in Afghanistan. The ICO’s investigation found that between August and September 2021, the MoD failed to comply with UK data protection requirements for safeguarding data. The MoD cooperated extensively with the ICO to resolve the breach and has taken measures to limit its impact. The fine was reduced from an initial £1 million to £350,000 in recognition of these efforts and to minimize the impact on the public.
Not for human consumption
