UK: MoD fined £350,000 over critical data breach endangering lives of Afghan who fought against Taliban

The Ministry of Defence (MoD) in UK has been fined of £350,000 following a severe data breach that could have jeopardized the lives of 265 Afghans who aided Britain during the conflict with the Taliban.

Information Commissioner John Edwards condemned the breach as “egregious,” emphasizing the potential harm to individuals who had entrusted their personal details to the MoD in hopes of sanctuary.

The breach occurred in September 2021, shortly after the Taliban’s takeover in Kabul and the conclusion of the UK’s Operation Pitting evacuation. An email sent by the UK’s Afghan Relocations and Assistance Policy (ARAP) team inadvertently disclosed personal information of 245 individuals due to an email distribution error.

The breach triggered outrage and panic among former interpreters, fearing that the Taliban could exploit the exposed details. One described it as a potential “death sentence,” while another labeled it a “catastrophic failure” on the part of the MoD.

In response to the breach, the MoD urgently contacted affected individuals, urging them to delete the email, change their addresses, and provide new contact details through a secure form. The MoD implemented new regulations and safeguards to prevent a recurrence of such errors.

The Information Commissioner’s Office (ICO) initially imposed a £1 million fine, later reduced to £700,000 and eventually settled at £350,000. Edwards justified the substantial fine, emphasising the breach’s severity and the obligation to protect vulnerable individuals.

During an internal investigation, the MoD discovered two prior breaches involving 68 individual email addresses shortly after UK forces left Kabul. The ICO found the MoD in violation of the UK General Data Protection Regulation (GDPR) for failing to have appropriate security measures in place between August and September 2021.

Ullah, a former translator whose details were compromised, expressed disbelief at the mistake, given the evident risk to lives. Stressing the importance of preventing a recurrence, he highlighted the ongoing risk for Afghans seeking relocation to Britain.

In response, a MoD spokesman acknowledged the severity of the incident, expressed regret, and outlined the steps taken to address ICO recommendations. The spokesman assured a thorough resolution and pledged to share further details on the implemented measures.