MoD fined over email blunder risking lives of interpreters fleeing Afghanistan

1044     0
Royal Marines pictured in Afghanistan before the withdrawal (Image: PA)
Royal Marines pictured in Afghanistan before the withdrawal (Image: PA)

The Ministry of Defence has been hit with a £350,000 fine for revealing details of interpreters fleeing Afghanistan in an email blunder.

Personal details of 265 people, who may have been eligible to come to the UK under the Afghan Relocation and Assistance Policy (ARAP), were mistakenly copied into an email. Their addresses were visible to all recipients, rather than being blind copied. The error could have put their lives in danger if the Taliban was able to get holder of the data, the Information Commissioner’s Office said. The MoD has said it accepted the importance of the data breach and apologised to the people affected.

The information commissioner, John Edwards said the error "let down those to whom our country owes so much". He added: "This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today."

The ICO advises that "bulk email services, mail merge, or secure data transfer services" are used when sending any sensitive personal information electronically and these measures were not in place. The email addresses were put in the "to" field rather than the intended blind carbon copy (Bcc) field and so they were visible to everyone.

It stated: “On 20 September 2021, the MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.”

Red Arrow pilot forced to send out emergency alert after bird smashes into jet eiqtieritzinvRed Arrow pilot forced to send out emergency alert after bird smashes into jet

And in addition to that incident there were two other similar data breaches that month and so that the total number of people affected was 265. The ICO stated: “The .... investigation found that, at the time of the infringement, the MoD did not have operating procedures in place for the ARAP team to ensure group emails were sent securely to Afghan nationals seeking relocation.”

An interpreter affected told the BBC the mistake "could cost the life of interpreters, especially for those who are still in Afghanistan." He stated: "Some of the interpreters didn't notice the mistake and they replied to all the emails already and they explained their situation which is very dangerous. The email contains their profile pictures and contact details."

A spokesperson for the MoD said: “The Ministry of Defence takes its data protection obligations incredibly seriously. We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today's ruling and apologise to those affected. We have introduced a number of measures to act on the ICO's recommendations and will share further details on these measures in due course.”

Tim Hanlon

Print page

Comments:

comments powered by Disqus