The UK’s Information Commissioner’s Office (ICO) has fined the Ministry of Defense £350,000 for a data breach incident in 2021 that jeopardized the safety of Afghans who had collaborated with the British army.
The breach occurred when employees responsible for the Afghans resettlement program mistakenly included all recipients’ email addresses in the “to” field instead of using the hidden BCC field. This error led to the disclosure of personal data belonging to 265 individuals seeking help, potentially endangering their lives as the Taliban sought to retaliate against those who had supported British forces.
The affected individuals were part of the ARAP program, which aimed to assist those who had aided NATO troops during the military operation in Afghanistan from 2001 to 2021. Following the breach, the Ministry of Defense contacted the victims to advise on changing their email addresses and provided a secure platform for updated communications.
While the initial fine for the breach was set at £1 million, it was reduced to £350,000 considering the urgency of the situation during the evacuation process. The ICO noted in its order that there was no evidence of the compromised data being accessed by third parties or causing real harm.
A spokesperson for the Ministry of Defense expressed regret over the incident, emphasizing their commitment to data protection obligations. The ARAP program facilitated the resettlement of over 21,000 Afghans in the UK, but it faced criticism for leaving many allies behind following the troop withdrawal in 2021.
The decision to withdraw Western troops from Afghanistan was taken following an agreement with the Taliban in February 2020, under which the insurgents pledged not to harbor terrorists in exchange for the withdrawal of foreign forces. However, the Taliban swiftly regained control of the country after the troop withdrawal, culminating in the fall of Kabul on August 15, 2021, marking the end of almost two decades of Western military presence in the region.