The Ministry of Defense has been fined £350,000 over a “serious” data breach that exposed the personal details of Afghan nationals trying to flee to Britain after the Taliban came to power.
The Information Commissioner’s Office (ICO) found that details of 265 people were mistakenly copied into emails sent by the government, making them visible to all recipients.
This could have resulted in a “life-threatening situation” if the disclosed data had fallen into the hands of the Taliban, according to the data watchdog.
In response to an email, two people replied “all”, with one person sharing their location to the entire distribution list, which the ICO said consisted of Afghan citizens eligible for evacuation.
This was a particularly serious breach of these people’s duty to security
Under data protection law, organizations should take measures to prevent the disclosure of personal data and the regulator recommends using bulk email services or form letters to protect data sent electronically.
The department’s Afghan Relocations and Assistance Policy (ARAP), which was responsible for supporting the relocation of Afghan nationals working for or with the British government, did not provide for such measures at the time, the ICO said.
In doing so, it breached the UK’s General Data Protection Regulation (UK GDPR) and found that the security of personal data processed by the ARAP team was at “significant risk”.
The original email was sent on September 20, 2021 to vulnerable people left behind after the British airlift from Kabul.
The Ministry of Defense then launched an internal investigation that uncovered two similar breaches on September 7 and 13 of the same year, the ICO said.
John Edwards, UK Information Commissioner, said: “This deeply regrettable data breach has failed those to whom our country owes so much.” This was a particularly serious breach of the security duty owed to these individuals and therefore warranted the fine my office imposed imposed today.
“While the situation on the ground in the summer of 2021 was very challenging and decisions were made quickly, that is no excuse for not protecting the information of people who have been subjected to reprisals and at risk of serious harm. As the risk and harm to people increases, the response must also increase.
“I welcome the Department of Defense’s remedial actions and its collaboration with my office to ensure that its mass email policies and processes are improved to prevent such errors from occurring again.
We fully recognize today’s verdict and apologize to those affected
“By imposing this fine and sharing the lessons learned from this breach, I want to make it clear to all organizations that there is no substitute for being prepared. Applying the highest data protection standards is not an optional extra, but a must, regardless of the circumstances.
“As we have seen here, the consequences of data breaches can be life-threatening. My office will continue to take action where we identify poor compliance with the law that puts people at risk of harm.”
The ICO said that following the breach, the ministry updated ARAP’s email processes, including implementing a “second eye” policy for the ARAP team when sending emails to multiple external recipients.
A Ministry of Defense spokesperson said: “The Ministry of Defense takes its data protection obligations incredibly seriously.
“We have worked fully with the ICO throughout the investigation to ensure a speedy resolution and we recognize the seriousness of what has happened.
“We fully recognize today’s verdict and apologize to those affected.
“We have introduced a number of measures to comply with the ICO’s recommendations and will provide further details of these measures in due course.”
The best videos are delivered daily
See the stories that matter right in your inbox
Source : www.newschainonline.com