This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

MoD Fined £350k for Afghan Evacuation Data Breach

MoD Fined £350k for Afghan Evacuation Data Breach


265 people seeking relocation to the UK from Afghanistan after the Taliban took control in 2021 had their personal data compromised

The breach occurred when the MoD mistakenly sent an email on September 20, 2021, to a list of Afghan nationals eligible for evacuation. The email included personal details, and due to an error in the ‘To’ field, this information was visible to all recipients, potentially endangering lives. Two individuals then mistakenly replied to all, further escalating the exposure.

The compromised data, if accessed by the Taliban, could have posed serious threats to the affected individuals. The MoD took immediate steps post-breach, requesting recipients to delete the email, change their addresses, and provided a secure form to update their contact details. Additionally, the MoD conducted an internal investigation, informed Parliament about the breach, and updated email policies, introducing a double-check system for outgoing emails.

The ICO, while acknowledging the challenging circumstances at the time, emphasized the MoD's failure in safeguarding sensitive data and protecting vulnerable individuals. John Edwards, the UK Information Commissioner, emphasized the critical need for robust data protection measures, stressing that compliance is crucial, especially in situations where lives are at risk.

Despite the MoD's remedial actions, the ICO imposed a fine of £350,000, reducing it from the initial amount of £1,000,000, considering the MoD's response post-breach. This serves as a deterrent, reinforcing the importance of stringent policies and training to prevent inadvertent data disclosures.

The ICO's investigation also unveiled two other similar breaches on September 7 and September 13, 2021, involving a total of 265 unique email addresses. It was found that, at the time, the MoD lacked specific procedures for securely sending group emails, and the ARAP team lacked explicit guidance on handling sensitive data.

The MoD recognized the severity of the breach, cooperated with the investigation, and committed to implementing further measures to address ICO recommendations. However, the ICO's findings underscore the necessity for robust procedures and specific guidance to prevent similar lapses in data security.


Picture courtesy of By Voice of America News -, Public Domain,