020 7650 1200

Hacker Data Breach

Afghan national’s lawyer welcomes Ministry of Defence fine for “particularly egregious” data breach of Afghan nationals’ personal data

The Information Commissioner’s Office, the independent body responsible for upholding information rights and data privacy, has fined the Ministry of Defence £350,000 for disclosing personal information of 265 Afghan nationals seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. The ICO found that “the egregious breach let down those to whom our country owes so much” and that the error could have resulted in a threat to life.

Posted on 13 December 2023

In a series of data breaches on 7th, 13th and 20th September 2021, the team in charge of the UK's Afghan Relocations and Assistance Policy (ARAP) at Ministry of Defence sent emails to distribution lists of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 265 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

The ICO reduced a proposed fine of £1,000,000 to £700,000 to reflect the action the Ministry of Defence took following the incidents and recognising the significant challenges the ARAP team had faced. The proposed fine was then further reduced from £700,000 to £350,000 to reflect the ICO’s current approach of issuing lower fines to public sector organisations.

The ICO confirmed that, under data protection law, organisations must have appropriate technical and organisational measures in place to avoid disclosing people’s information inappropriately and that organisations should use bulk email services, mail merge, or secure data transfer services when sending any sensitive personal information electronically rather than, as in this case, ARAP relying on ‘blind carbon copy’ (BCC), which carries a significant risk of human error.

In response, the Ministry of Defence stated that they fully acknowledged the ICO’s ruling and apologised to those affected. The Ministry of Defence also confirmed that, following the data breach incidents, they had updated the ARAP’s email policies and processes, including implementing a ‘second pair of eyes’ policy for the ARAP team when sending emails to multiple external recipients.

Leigh Day is currently pursuing a claim for compensation by a client, an Afghan national who had previously assisted UK forces, whose personal details were affected by one of the data breaches. He and his family have now relocated to the UK. However, he remained in Afghanistan between September 2021, the time of the data breach, until February 2022, when he and his family managed to travel to Pakistan. During this time, he was extremely scared for his and his family’s safety and was aware that the Taliban were searching for him. We are currently awaiting a response to a detailed letter of claim first sent to the Ministry of Defence in March 2023.

Sean Humber, a specialist data breach lawyer at Leigh Day said:

“We welcome the ICO’s findings regarding the Ministry of Defence’s failure to keep Afghan nationals’ personal data safe. The data breaches put the lives of those affected and their families at risk and made what was already a very difficult situation for them in Afghanistan even worse. The MOD must now compensate those affected for the very considerable anxiety and distress that the data breach caused without further delay.”

Anybody affected by these data breaches who wishes to discuss the matter on a confidential basis, without obligation, contact Sean Humber on 00 44 20 7650 1200 or by email at shumber@leighday.co.uk.

Sean Humber
Data protection and privacy Discrimination Environment Human rights Judicial review

Sean Humber

Sean is an experienced human rights lawyer and privacy breach compensation claims specialist

News Article
Computer Keyboard
Human rights Data breach

Further companies affected by Clop MOVEit cyber-attack

Leading data breach lawyers have confirmed that recent announcements that employee and customer information from more companies has been hacked by Clop as a result of the MOVEit cyber-attack may lead to claims for compensation by those affected.

News Article
Data Security
Data breach Human rights

Serious data breach affects personal information of tens of thousands of British Airways, Boots and BBC staff

Leading data breach lawyers say that the recent announcements by British Airways, Boots and BBC that their staff’s personal information has been hacked, are likely to lead to substantial claims for compensation by those affected.