The Information Commissioner's Office has imposed a £350,000 fine on the U.K.'s Ministry of Defence (MoD) for a significant data breach during the evacuation of individuals from Afghanistan in 2021. The MoD, in an attempt to reach Afghan nationals eligible for evacuation, inadvertently exposed personal data of 245 individuals by sending an email to a distribution list. The breach revealed email addresses to all recipients, and 55 people had thumbnail pictures visible on their profiles. Two individuals 'replied all,' with one disclosing their location.
The breach, considered deeply regrettable by Information Commissioner John Edwards, violated U.K. data protection laws, emphasizing the necessity for organizations to employ secure measures when handling sensitive information electronically. The email in question relied on blind carbon copy, and the ICO stressed the importance of using bulk email services, mail merge, or secure data transfer services.
Edwards stated, "This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today." He underscored that even in challenging situations, such as the Afghan evacuation, protecting the information of vulnerable individuals is paramount.
The email in question originated from the team managing the UK's Afghan Relocations and Assistance Policy, tasked with aiding the relocation of Afghan citizens who collaborated with the U.K. government. The ICO found that this team lacked specific guidance regarding the security risks associated with sending group emails containing sensitive information.