04 October 2021

The Ministry of Defence (MoD) has apologised following a major “data breach” that reportedly exposed the email addresses of more than 250 interpreters who remain in Afghanistan.

Defence secretary Ben Wallace said it would be an understatement to say he was angered after a number of people seeking relocation to the UK – many of whom are still hiding from the new Taliban government – were mistakenly copied into an email.

The minister has apologised to those affected and launched an investigation. One person has been suspended, he said.

Once the mistake had been made apparent, the MoD then sent another email 30 minutes later with the title “Urgent - Arap case contact” asking the recipients to delete the previous email and warning “your email address may have been compromised”.

It also recommended the interpreters change their email addresses.

The MoD has also referred itself to the Information Commissioner’s Office.

Addressing fellow MPs in the House of Commons, Wallace said: “I apologise to those Afghans affected by this data breach and with Home (the Home Office) we are now working with them to provide security advice. It is an unacceptable level of service that has let down the thousands of members of the armed forces and veterans. On behalf of the Ministry of Defence, I apologise.”

An MoD spokesperson added that an investigation has been launched into a data breach of information from the Afghan Relocations Assistance Policy team.

“We apologise to everyone impacted by this breach and are working hard to ensure it does not happen again,” the spokesperson added. “The Ministry of Defence takes its information and data handling responsibilities very seriously.”

The MoD has said it will take all necessary steps under UK GDPR (General Data Protection Regulation) rules.

Wouter Klinkhamer, chief executive officer at secure communication solutions specialist Zivver, said news of the data breach “is a stark reality” of what can happen when digital communications are not safeguarded.

“This is an extreme example of course where the data breach is potentially lifethreatening; but all business leaders need to sit back and review how sensitive information is being shared and ask what support does its workforce have to communicate securely,” he said. “It’s common that incidents such as this are a result of human error (verified by the UK’s ICO) – an employee inadvertently selecting ‘Cc’ instead of ‘Bcc’ before sending the email.”

Klinkhamer added that while “we’re all human, we all make mistakes” – organisations need to focus on how they can empower their individuals to be able to share information securely “when they need, with confidence and with ease to avoid a potentially damaging situation”.