The UK Ministry of Defense (MoD) has been fined £350,000 for recklessly causing a data breach that exposed the personal details of Afghan citizens seeking to flee the country after the Taliban took control in 2021.
The Information Commissioner’s Office (ICO) data watchdog described the breach as “extremely serious” and could result in a “threat to lives” after the Ministry of Defense emailed a list of Afghan nationals eligible for evacuation.
In a typical rip-off, the UK Ministry of Defense put the email addresses of 245 people who have worked in or with the British government in Afghanistan into the “To” field, where all recipients can read it. Send/Bcc error.
Two people clicked “reply all” on the email, and one provided their location.
As the ICO explains, “The data disclosed could pose a threat to lives if it fell into the hands of the Taliban.”
Soon after, the Ministry of Defense realized its mistake and sent a follow-up email (correctly BCC’d this time) asking everyone to delete the message, change their email addresses and report it to UK authorities via a secure communication channel Provide new contact information.
A subsequent internal investigation found two similar data breaches at the Department of Defense, one on September 7, 2021, involving 13 personal email addresses, and another on September 13, 2021, involving 55 personal email address. In all cases, the “To:” field was used to contact multiple people, exposing the contact details of everyone in the distribution list.
Since some unfortunate people’s email addresses were exposed in more than one leak, the total number of unique addresses leaked is 265.
The ICO’s investigation found that the Ministry of Defense did not have adequate procedures in place with its team responsible for the UK’s Afghanistan Relocation and Assistance Policy (ARAP) to ensure that group emails were sent securely to those seeking to come to the UK, and that no information about the group was provided Specific guidance on the security risks associated with group email.
After receiving representations from the Ministry of Defence, the ICO reduced the fine from £1m to £700,000 and then halved it to £350,000 as the organization believed large fines would not in themselves be as effective a deterrent as they would be for the public sector . It’s for private organizations.
UK Information Commissioner John Edwards said: “This deeply regrettable data breach is a huge disappointment to those who have suffered in our country.” “While the actual situation in the summer of 2021 is very serious, is challenging, and decisions are being made on track, but there is no reason not to protect the information of those who are vulnerable to retaliation and at risk of serious harm. When the risks and levels of harm people face intensify, so must the response… By opening Issuing the ticket and sharing the lessons learned from this breach, I want to make it clear to all organizations that there is no substitute for preparedness. As we have seen here, the consequences of a data breach can be life-threatening. If we discover Compliance with the law is poor and my office will continue to take action against those who are at risk of harm.”
In the past, failure to use confidential copies has led to a series of breaches by various organizations, including the U.S. Marshals Service, Child Sexual Abuse Investigations, and even (ironically) Security Awareness, and even the Dutch Data Protection Agency.
