The Information Commissioner’s Office (ICO) has fined the Ministry of Defence (MoD) for a data breach that occurred during the evacuation of Afghan nationals after the Taliban regained control of the country in August 2021.
The ICO issued a fine of £350,000 on 13 December for the MoD’s disclosure of personal information of people looking to relocate to the UK from Afghanistan during the large-scale evacuations of Kabul.
Details of 265 people trying to escape Afghanistan were compromised in email breaches weeks after the Taliban took control, which could have resulted in a threat to life, according to the data protection watchdog.
Commenting on the ICO’s decision to issue the fine, UK Information Commissioner John Edwards said the data breach let down vulnerable people who had sacrificed a great deal for the UK’s interests.
“This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today.”
MoD data breach put lives at risk
On 20 September 2021, the team running the UK’s Afghan Relocations and Assistance Policy (ARAP) sent an email to a list of Afghan nationals who had worked for or with the UK government and were eligible for evacuation.
The email was sent to every Afghan national eligible for evacuation, including each personal email address in the ‘To’ field. This meant every email address was visible to all recipients, as well as the thumbnail images from 55 of the recipients’ email profiles.
Two of those included on the list of eligible Afghan nationals ‘replied all’ to the entire list, with one also sharing their location in their reply.
The ICO noted the data breach could have put the recipients in serious jeopardy should the information have fallen into the hands of the Taliban.
The investigation found the MoD failed to follow appropriate data protection procedures during the incident.
Similarly, staff at ARAP were relying on the MoD’s wider email policy and did not receive specific guidance concerning the particular security risks of sending group emails when dealing with sensitive information.
ICO decision may leave MoD open to further civil claims
Abigail Healey, partner at Quillon Law, emphasized the importance of this decision from a regulatory perspective, where finding the MoD responsible for the ‘egregious’ data breach may promote further claims from affected parties.
"This is particularly important from a regulatory perspective as, with this case, the ICO was evidently persuaded to reduce the fine levied given the remedial steps taken by the MoD,” she said.
“Their decision highlights the importance of engaging with the regulator and setting out the organization’s position, including mitigating factors, in full.
“Decisions such as this may, however, leave the organization more susceptible to civil claims.”
Healey said that while an affected data subject would still have to satisfy courts, the ICO's decision would likely offer "very persuasive evidence" in the event of a civil case.
