Earlier this year, the Ministry of Defence (MoD) experienced two shocking data breaches that put Afghans and their families at risk.
- Many of those exposed in the breach were in hiding.
- If this data falls into the hands of the Taliban, the consequences for the victims could be fatal.
- The MoD has been criticised for its “staggering incompetence”.
In August 2021, the Taliban took control of Afghanistan following the withdrawal of UK and US troops. In response, thousands of people scrambled to flee the country in fear. Many of those attempting to leave Afghanistan worked alongside the British Government and the British Army during the Afghanistan conflict. The Taliban is thought to be searching for these people to punish them. The Taliban has also threatened to prosecute, interrogate, and punish family members on behalf of individuals who do not give themselves up.
Potentially catastrophic data protection failures
The Afghan Relocations Assistance Policy (ARAP) is the MoD team charged with the evacuation operation of Afghans who have helped the UK. However, despite promises about safety, ARAP mistakenly copied over 250 Afghan interpreters into an email asking for an update on their situation. At least one of the recipients is from the Afghan National Army.
Email addresses were exposed in this data privacy violation, and some photographs of the interpreters. It’s not clear whether all the interpreters at risk are still in Afghanistan, but many were believed to be hiding.
This potentially catastrophic data protection breach exposed those who worked against the Taliban and could put the lives of these Afghan interpreters and their families at risk. And, to make matters worse, just days later, ARAP caused a second data breach compromising the safety of more Afghans who may be eligible to relocate to the UK.
Commenting on the privacy failures, Kingsley Hayes, head of data breach at Keller Lenkner UK said:
“Not using the bcc functionality when sending an email to multiple recipients is a common data privacy mistake and one that an organisation like the MoD should easily be able to prevent with the proper training and processes.
“With two remarkably similar data violations happening within days, serious questions must be asked about how such breaches are allowed to happen.”
These are not the only Data Protection Act failures by the MOD this year. Only a few months ago, a member of the public discovered sensitive documents containing details about HMS Defender and the British military at a bus stop in Kent.
The Ministry of Defence launched an investigation into the data privacy failures, and a spokesperson said that it was “working hard to ensure it does not happen again”.
However, it faced universal condemnation for putting vulnerable people at serious risk. If this highly sensitive information falls into the hands of the Taliban, the consequences could be fatal.
Former defence minister Johnny Mercer tweeted that the MoD and the Home Office had been “criminally negligent“. Liberal Democrat defence spokesman Jamie Stone said the breach was “shocking and truly a betrayal“. Speaking to the media, John Healey, Labour’s Shadow Defence Secretary, said, “this breach has needlessly put lives at risk”.
Those affected by the Afghan breaches have been informed. However, Kingsley Hayes believes that the MoD must be held responsible. He said:
“While the immediate priority must be to secure the safety of those put at risk by the MoD’s failures, those responsible must ultimately be held to account. Lives have been put at risk by such staggering incompetence and this is simply unforgivable.”