View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

ICO issues Ministry of Defence with £350,000 fine over Afghan evacuation data breaches

Email addresses belonging to 265 people were compromised in a series of data breaches in the wake of the Taliban’s takeover of Afghanistan in 2021.

By Greg Noone

The UK’s Information Commissioner’s Office (ICO) has issued a fine of £350,000 to the Ministry of Defence (MoD) for accidentally exposing the email addresses of 265 individuals fleeing Afghanistan in 2021. The exposure of these details over several data breaches, said the ICO, “could have resulted in a threat to life” if the addresses had been disclosed to the Taliban.

A photo of a black plaque reading "Ministry of Defence," used to illustrate a news story about a fine issued by ICO for a data breach by the department in 2021.
The ICO praised the MoD for the remedial actions it had taken since a data breach that saw the email addresses of 256 Afghan nationals exposed. (Photo by William Barton/Shutterstock)

The largest such breach took place on 20 September, according to the ICO, when the MoD’s Afghan Relocations and Assistance Policy (ARAP) team sent a single email containing personal data belonging to 245 Afghan nationals to a distribution list of individuals eligible for evacuation to the UK. This email was sent using the “To” instead of the “BCC” field, exposing the email addresses of all its recipients to one another and 55 thumbnail pictures belonging to recipient email accounts. Two individuals then clicked “Reply All” to the message, with one recipient exposing their location. Shortly afterwards, when it became clear that a breach had taken place, the MoD alerted the individuals affected and asked them to delete the message, change their email addresses and make it known to the ARAP team via a secure form. 

“This deeply regrettable data breach let down those to whom our country owes so much,” said the UK’s Information Commissioner, John Edwards. “This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today.” 

Two similar incidents also took place on 7 September and 13 September 2021, exposing the addresses of 13 and 55 individuals respectively. Multiple instances of the same email address being disclosed eventually resulted in the exposure of 265 unique email addresses.

ICO praises MoD actions since data breach

Since the breaches, the MoD has taken the practical step of imposing a “second pair of eyes” policy to review all emails sent by the ARAP team to multiple individuals, in addition to updating other processes. It has also conducted an internal investigation into the breach and briefed MPs about the incident in a statement to Parliament in September 2021.

It was partly in recognition of these actions, said the ICO, that the MoD’s fine had been reduced from a starting sum of £1m to £700,000. The fine was reduced further to £350,000 in deference to the ICO’s “public sector approach” to data breaches, wherein the deterrent effect of financial penalties for breaches is weighed against the material impact such punishments have on ministerial budgets. 

An MoD spokesperson reiterated their department’s regret over the breach. “The Ministry of Defence takes its data protection obligations incredibly seriously,” they said. “We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today’s ruling and apologise to those affected.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

This is not the first time the ICO has criticised the MoD for its data protection practices. In July 2022, it reprimanded the department for a backlog of 9,000 Subject Access Requests dating back to March 2020. The ICO also condemned the MoD in June of this year for failing to respond to Freedom of Information requests in good time. 

Read more: ICO seeks to overturn decision to block its £7.5m Clearview AI facial recognition fine

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.