UK Defense Ministry fined over Afghan data breach during Taliban takeover

The Information Commissioner’s Office (ICO) announced on Wednesday that it has imposed a fine on the British defense ministry for a series of email data breaches exposing details of more than 265 Afghans seeking relocation to Britain following the Taliban’s takeover of Afghanistan in August 2021.

The ICO fined the Ministry of Defense (MoD) £350,000, citing the absence of operational procedures to ensure secure transmission of group emails to Afghan nationals who had collaborated with or worked for the British government.

Quoted by Reuters, UK’s Information Commissioner John Edwards, siad in a statement: “This deeply regrettable data breach let down those to whom our country owes so much. While the situation on the ground in the summer of 2021 was very challenging, and decisions were being made at pace, that is no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm.”

Former UK defense minister Ben Wallace had previously issued an apology in front of the British parliament and initiated an investigation into the breach.

The MoD acknowledged the gravity of the issue, reiterated its apology, and stated that it would provide additional details on the measures being implemented to address the ICO’s concerns in due course.

According to the ICO, the department inadvertently disclosed the personal information of 245 people when it sent an email to a distribution list of Afghan nationals eligible for evacuation on September 20, 2021, with all applicants copied. The MoD’s internal investigation revealed two additional similar breaches in the same month, compromising a total of 265 email addresses.

 The ICO emphasized that the disclosed data could have posed a threat to life if it had fallen into the hands of the Taliban.