MoD Fined £350k for Afghan Evacuation Data Breach

12 Dec 2023News

265 people seeking relocation to the UK from Afghanistan after the Taliban took control in 2021 had their personal data compromised

The breach occurred when the MoD mistakenly sent an email on September 20, 2021, to a list of Afghan nationals eligible for evacuation. The email included personal details, and due to an error in the ‘To’ field, this information was visible to all recipients, potentially endangering lives. Two individuals then mistakenly replied to all, further escalating the exposure.

The compromised data, if accessed by the Taliban, could have posed serious threats to the affected individuals. The MoD took immediate steps post-breach, requesting recipients to delete the email, change their addresses, and provided a secure form to update their contact details. Additionally, the MoD conducted an internal investigation, informed Parliament about the breach, and updated email policies, introducing a double-check system for outgoing emails.

The ICO, while acknowledging the challenging circumstances at the time, emphasized the MoD's failure in safeguarding sensitive data and protecting vulnerable individuals. John Edwards, the UK Information Commissioner, emphasized the critical need for robust data protection measures, stressing that compliance is crucial, especially in situations where lives are at risk.

Despite the MoD's remedial actions, the ICO imposed a fine of £350,000, reducing it from the initial amount of £1,000,000, considering the MoD's response post-breach. This serves as a deterrent, reinforcing the importance of stringent policies and training to prevent inadvertent data disclosures.

The ICO's investigation also unveiled two other similar breaches on September 7 and September 13, 2021, involving a total of 265 unique email addresses. It was found that, at the time, the MoD lacked specific procedures for securely sending group emails, and the ARAP team lacked explicit guidance on handling sensitive data.

The MoD recognized the severity of the breach, cooperated with the investigation, and committed to implementing further measures to address ICO recommendations. However, the ICO's findings underscore the necessity for robust procedures and specific guidance to prevent similar lapses in data security.

Picture courtesy of By Voice of America News - https://www.youtube.com/watch?v=nAg7egiXClU, Public Domain, https://commons.wikimedia.org/w/index.php?curid=109034031

Legal News desk contact: editorial@solicitorsjournal.com

Latest Articles

EU AI Act brings GPAI rules to life

The EU’s new AI rules make GPAI compliance an immediate reality for UK companies developing or deploying these models

A historic step: 16-17 year olds gain vote

After years of advocacy, the UK Government confirms voting rights for 16 and 17 year olds

Supreme Court ruling on fraudulent trading liability

UK Supreme Court clarifies liability of third parties in MTIC fraud and limitation rules for dissolved companies.

Forty years on, surrogacy law is still playing catch-up

Despite international growth in surrogacy, UK law remains reactive, outdated and ill-equipped for today’s challenges

Tudor v Tecuci District Court: Article 8 extradition appeal analysis

High Court upholds Romanian extradition despite private life arguments

Law firm reports significant caseload rise

A surge in immigration-related legal advice reflects new UK policies tightening regulations affecting businesses and individuals

Costs Lawyers seek recognition and support

The Association of Costs Lawyers aims to elevate its members' status and engage the younger workforce

Gig economy drivers challenge their status

Former eCourier drivers have launched a legal claim to secure workers' rights against misclassification

When is an environmental case not an Aarhus claim?

Court of Appeal narrows Aarhus costs protection, requiring direct breach of environmental law, not incidental impacts.

Commonhold’s fragile foundations: risk and reality

Commonhold promises fairness and simplicity, but unresolved enforcement and financial risks threaten its stability and long-term value

How the amended English Arbitration Act puts London at the centre of global arbitration reform

The Arbitration Act 2025 introduces reforms enhancing efficiency, certainty, and London’s global leadership in international arbitration

Support needed for UK retailers now

Clarke Willmott LLP calls for intervention in the autumn statement to avert worsening conditions in retail

Court of Appeal clarifies GDPR compensation thresholds in Farley v Equiniti

Court of Appeal establishes new precedent on data breach compensation claims.

Crest Nicholson v Secretary of State: Water neutrality upheld in planning decision

High Court affirms water neutrality condition for housing development near ecologically sensitive sites.

O Argence-Lafon v Ark Syndicate Management: EAT whistleblowing judgement analysis

Employment Appeal Tribunal clarifies protected disclosure requirements in insurance sector whistleblowing case

SJ Interview: James Palmer CBE

James Palmer CBE, Partner of Herbert Smith Freehills Kramer, has long been recognised as one of the UK’s most influential corporate lawyers and policy voices. Awarded a CBE in 2025 for his services to business and law, he has combined a high-profile career in M&A with decades of work on legal reform. In this interview, he discusses the challenges of legislative inflation and corporate advice, access to justice, and the future role of technology.

The SQE is failing its own test

Five years on, the SQE is underperforming, and targeted reforms could close persistent gaps.