The UK’s Ministry of Defence is at the centre of growing criticism after potentially putting the lives of Afghan citizens at risk in an email data breach, the second such incident to emerge in the space of a week.
The latest incident saw the email addresses and names of 55 individuals, at least one of them a former member of the Afghan National Army, mistakenly copied into an email with their details visible to all other recipients. The email originated from the Afghan Relocation and Assistance Policy (Arap) team.
Earlier this week, Arap exposed data on more than 250 Afghan interpreters who, like the recipients of the latest email blunder, were awaiting relocation to the UK – their personal safety being at risk from Taliban reprisals should they remain in Afghanistan.
Defence secretary Ben Wallace announced an investigation into the first incident in the Commons on Tuesday, and according to the BBC he had supposedly been unaware of the second breach at that point.
The MoD apologised for the second leak and said extra support was being offered to the 55 new victims. In a statement, a departmental spokesperson said steps had been taken “to ensure this does not happen in the future”.
Computer Weekly contacted the MoD to establish further facts around the incidents, but had not received a response at the time of writing. This story will be updated if more information is forthcoming.
Kingsley Hayes, head of data breach at law firm Keller Lenkner, commented: “The Ministry of Defence has launched an investigation into the data privacy failures and has reportedly taken steps ‘to ensure this does not happen in the future’. But with two serious data breaches happening within days, and another breach happening only a few months ago when a member of the public discovered sensitive documents at a bus stop, serious questions must be asked about how such violations are allowed to happen.
“Furthermore, while the immediate priority must be to secure the safety of those put at risk by the MoD’s haphazard email processes, those responsible must ultimately be held to account. Lives have been put at risk and this is simply unforgivable.”
Andreas Theodorou of ProPrivacy condemned a “confirmed pattern of incompetence” and said that while human error was understandable, there was now clear evidence that key workers at the MoD were failing to follow basic security best practice.
“People will suffer as a result of this, and not just the high-profile members of the Afghan army who have been outed by the failures of a rushed withdrawal. Once again, the MoD has given the Taliban an opportunity to launch physical and digital attacks against ourselves and our allies, and all out of a perceived lack of digital literacy,” he said.
“A system of checks is clearly needed before sending out mass communications to vulnerable recipients in hostile lands, where any data leaked can be used against our allies and ourselves.”
Wouter Klinkhamer, CEO of Zivver, a Dutch company specialising in outbound email security, described the latest breach as a stark demonstration of what could go wrong when email communications are not correctly safeguarded, and although the MoD presented an extreme example, there were lessons for all types of organisations.
“All business leaders need to sit back and review how sensitive information is being shared and what support their workforce have to communicate securely,” said Klinkhamer. “It’s common that incidents such as this are a result of human error [verified by the UK’s ICO] – an employee inadvertently selecting ‘Cc’ instead of ‘Bcc’ before sending the email.
“However, we’re all human, we all make mistakes. Organisations need to focus on how they can empower their individuals to be able to share information securely when they need, with confidence and with ease, to avoid a potentially damaging situation.”