Ministry of Defence Fined £350,000 Over Email Blunder
The Ministry of Defence (MoD) is set to pay a £350,000 fine imposed by the Information Commissioner’s Office (ICO) for a substantial data breach during the 2021 Afghanistan evacuation, jeopardising the safety of Afghan interpreters relocating to the UK post the Taliban takeover.
The incident involved an email sent by the MoD's Afghan Relocations and Assistance Policy (ARAP) team to a distribution list of 245 eligible Afghan nationals. This email mistakenly revealed personal information by placing addresses in the 'To' field instead of the intended 'Bcc' field. Recipients were consequently able to view each other's email addresses, along with thumbnail images of 55 individuals.
The gravity of the situation escalated when two recipients replied using "reply all," inadvertently exposing one person's location. The ICO emphasised the potential life-threatening consequences of the breach, stating that if the data had fallen into the hands of the Taliban, it "could have resulted in a threat to life."
The ICO found that the MoD failed to comply with data protection requirements between August and September 2021, citing a lack of appropriate technical and organisational measures. The MoD has fully acknowledged the ICO's ruling and issued an apology to the affected individuals.
An internal investigation by the MoD also revealed two similar incidents, bringing the total number of affected individuals to 265. While the initial fine of £1 million was reduced to £700,000, the ICO further decreased it to £350,000, aligning with efforts to minimise the impact of government fines on the public.
In response to the breach, the MoD has taken corrective actions, including contacting affected individuals, urging them to delete the email, change their addresses, and inform the ARAP team of their new contact details through a secure form. The MoD has also updated its email policies and processes, implementing a "second pair of eyes" policy for team members sending emails to multiple recipients.
