cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

UK Defence fined for leaking details of Afghan nationals

The UK Ministry of Defence (MOD) is facing a fine from the Information Commissioner’s Office (ICO) after a data breach led to the details of hundreds of Afghan nationals being compromised, which put their lives at risk.

user icon Daniel Croft
Fri, 15 Dec 2023
UK Defence fined for leaking details of Afghan nationals
expand image

The personal information of 265 people looking to come to the UK from Afghanistan following the western retreat in 2021 was leaked as part of an “email error”.

“On 20 September 2021, the MOD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed,” said the ICO.

“The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.”


The ICO added that the data that was disclosed could have created a life-threatening situation for those involved had that information reached the hands of the Taliban.

Following the breach, the ICO issued the UK MOD a fine of £350,000 (roughly $666,400), saying that the MOD “did not have operating procedures in place for the ARAP team to ensure group emails were sent securely to Afghan nationals seeking relocation”.

Following the incident, the MOD began an internal investigation, updated ARAP policies regarding emails, and instructed recipients to delete the emails, change their email address and inform them of the new details.

“The Ministry of Defence takes its data protection obligations incredibly seriously. We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today’s ruling and apologise to those affected,” the MOD said.

“We have introduced a number of measures to act on the ICO’s recommendations and will share further details on these measures in due course.”

UK information commissioner John Edwards has said that while the data breach was disappointing, he is pleased with the changes the MOD have announced.

“This deeply regrettable data breach let down those to whom our country owes so much. This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today,” he said.

“I welcome the MOD’s remedial steps taken and its collaboration with my office to ensure its bulk email policies and processes are improved so such errors are not repeated.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.