Joerg Habermeier - stock.adobe.c

Investigation launched after MoD email blunder

Exposure of PII on Afghan interpreters who worked with the UK may put hundreds at risk of Taliban reprisals

An investigation is to take place into a serious data breach arising from an email error at the UK’s Ministry of Defence (MoD), which mistakenly exposed the personal data of more than 250 Afghan interpreters awaiting relocation to the UK by copying email addresses, names and other information into the body of an email.

The MoD has apologised for the incident, telling the BBC, which was first to report the breach, that it took such matters “very seriously” and would take steps to ensure it could not happen again.

The email is understood to have originated from the Afghan Relocations and Assistance Policy (Arap) which, since the Taliban took back control of Afghanistan, has been working overtime to assist people who had worked with the UK during the past 20 years and now find themselves targeted for retribution by the new government.

Many of those affected have been able to escape to other countries, but some remain in hiding in Afghanistan, and one of the recipients told the BBC that some of those copied in did not realise the mistake and used the ‘reply all’ function and may have put themselves at further risk of reprisals by exposing their locations and other details of their cases.

Posting to Twitter, former defence minister Johnny Mercer spoke of a “criminally negligent” performance by the MoD and the Home Office in supporting left-behind interpreters and other support staff, and said many would probably be “moving house again tonight”.

Andreas Theodorou, a digital privacy expert at ProPrivacy, said: “This data breach is a drop in the ocean of national embarrassment at the callous disregard for the Afghani people who supported our forces. The fact that this is the second data breach this year at the MoD suggests a pattern of incompetence, and an inability to protect the digital rights and freedoms of ourselves and our allies.

“The bungled leadership and lack of care are costing lives – it’s just not good enough. People are dying because of avoidable mistakes, and the public should demand severe punishment for those responsible.

“By leaking this data, the Taliban could easily launch dedicated physical and digital attacks to root out further information, potentially breaching the safety of countless allies and refugees, and could result in them acquiring sensitive information which could be used against us. This isn’t just a gross breach of trust, it’s a breach of national security and morality,” added Theodorou.

Comforte AG product manager Trevor Morgan said that anybody who has ever committed a ‘reply all’ gaffe could surely commiserate with whoever wrote the original email.

“[But] in this case, mistakenly copying these peoples’ email addresses…could have dire consequences for the unfortunate data subjects,” he said.

“The only way to prevent or at least mitigate the consequences of human error like this is to continue to institute within every organisation and enterprise a very strong culture of data privacy encouraging people to slow down, and double- and triple-check human input, especially when it deals with sensitive information, and always keep in mind the potential consequences of data leaks and breaches triggered by simple mistakes,” said Morgan.

“There is little in the way of technology that can prevent these kinds of mistakes from occurring. So it’s down to organisations to effectively train its users to be mindful as to what content and information is being shared in an email,” added KnowBe4’s Javvad Malik.

“Only through continued vigilance can such mistakes be eliminated. While it’s an easy mistake to make with the single click of a mouse, a leak of this kind can have a massive impact on the lives and safety of those implicated,” said Malik.

Read more about email security

Read more on Data breach incident management and recovery