UK's Ministry of Defence fined after Bcc email blinder that put the lives of Afghan citizens at risk

The British Ministry of Defence (MoD) has been fined £350,000 for recklessly causing a data breach that exposed the personal details of citizens of Afghanistan who were seeking to flee the country after the Taliban took control in 2021.

The breach, which the Information Commissioner's Office (ICO) data watchdog described as "egregious," could have resulted in "a threat to life" occurred after the MoD sent an email to a list of Afgan nationals eligible for evacuation.

In a classic Cc/Bcc blunder, the MoD put the email addresses of 245 people who had worked for or with the UK Government in Afghanistan into the "To" field where they could be read by all recipients.

Two people hit "reply all" to the email, with one of them providing their location.

As the ICO explains, "the data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life."

Shortly afterwards, realising its mistake, the MoD sent a follow-up email (correctly Bcc'd this time) asking everyone to delete the message, change their email addresses, and provide the UK authorities with new contact details via a secure communications channel.

A subsequent internal investigation found two similar data breaches by the MoD, one involving 13 individual email addresses on 7 September 2021, and another on 13 September 2021 involving 55 individual email addresses. In all cases, the "To:" field had been used to contact multiple individuals, exposing contact details with everyone in the distribution list.

With some unfortunate individuals having had their email address exposed in more than one of these breaches, the total number of unique addresses breached was 265.

The ICO's investigation found that the MoD did not have procedures in place with its team in charge of the UK's Afghan Relocations and Assistance Policy (ARAP) to ensure that group emails were sent securely to those seeking to come to the UK, and had not been offered specific guidance about security risks associated with group emails.

After representations from the MoD, the ICO reduced its fine from one million pounds to £700,000, and then halved it to £350,000 as part of the organisation's belief that large fines are not on their own as effective a deterrent within the public sector as they are to private organisations.

“This deeply regrettable data breach let down those to whom our country owes so much, " said UK information commissioner, John Edwards. “While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response... By issuing this fine and sharing the lessons from this breach, I want to make clear to all organisations that there is no substitute for being prepared. As we have seen here, the consequences of data breaches could be life-threatening. My office will continue to act where we find poor compliance with the law that puts people at risk of harm."

In the past, a failure to use Bcc has resulted in a series of breaches for different organisations ranging from the US Marshals, an inquiry into child sexual abuse, and even (ironically) security awareness companies and even the Dutch Data Protection Authority.