Britain's data watchdog has issued the Ministry of Defence with a financial penalty of £350,000 for the BCC email blunder that exposed names and contact data of Afghan interpreters locked in the Taliban-controlled country.

The potentially life-or-death breach happened in autumn 2021 following the complete withdrawal of UK and US troops in the summer, leaving a power vacuum that was filled again by the militant Pashtun national organization.

The Taliban had embarked on a campaign to seek out and punish any Afghans helping Western military. Some interpreters were reportedly murdered and many feared for their lives.

The offending BCC email was sent on September 20, 2021, by the UK's Afghan Relocations and Assistance Policy (ARAP), the unit in charge of assisting the relocation of citizens who worked for or with the UK government in Afghanistan.

The distribution list included Afghan nationals that were eligible for evacuation. The email urged the interpreters, somewhat ironically, not to put themselves or their families in danger. Personal information of 245 applicants was inadvertently exposed, and the email addresses could be seen by all with 55 having their thumbnail pic associated with the email account.

Two people even replied all to the entire list of recipients and one of them had provided their location.

"The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life," said the ICO today.

Recipients of the BCC email were asked to delete the email, change their email address, and tell the ARAP crew of their new contact details via a secure channel.

"Staff joining the ARAP team had to rely on the MoD's broader email policy and were not given specific guidance about the security risks of sending group emails when communicating sensitive information," the ICO said.

The MoD subsequently ran an internal investigation on the events, urging ARAP to update policies and processes - including asking for a second pair of eyes for cross checking purposes to look over emails that were being sent to multiple external recipients.

"This deeply regrettable data breach let down those to whom our country owes so much," said John Edwards, UK Information Commissioner. "This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today."

"Applying the highest standards of data protection is not an optional extra - it is a must, whatever the circumstances. As we have seen here, the consequences of data breaches could be life-threatening," Edwards added.

The MoD was found to have broken UK GDPR by failing to have sufficient safeguards in place to prevent the issues. The ARAP team had relied on BCC, which "carries a significant risk of human error," the ICO said

The ICO today advised the MoD to use bulk email services, mail merge or secure data transfer services when dispatching sensitive personal data electronically.

In a statement to The Reg, a spokesperson at the MoD said: "We have cooperated extensively with the ICO throughout their investigation to ensure a prompt resolution, and we recognise the severity of what has happened. We fully acknowledge today's ruling and apologise to those affected.

"We have introduced a number of measures to act on the ICO's recommendations and will share further details on these measures in due course."

A fine of £1 million was reduced to £700,000, the ICO said, reflecting the corrective actions taken the Department, and then halved under the Public Sector Approach, which is designed to act as a deterrent to data breaches to ensure fresh training and policies are put in place.

The MoD's internal probe into the September 20 events also found another instance that same month involving BCC blunders.

Will Richmond-Coggan, partner and head of data breach litigation at Freeths, told us:

"The ICO’s willingness to impose a significant fine, despite its recent policy of only issuing reprimands in relation to public sector breaches, underscores the gravity of this incident.

"The more sensitive the information, the more stringent the measures that need to be in place to protect it. Here, the MoD has acknowledged that the risks around disclosure were potentially matters of life and death.

"In my view, this incident serves as a vital reminder to organisations of all shapes and sizes to keep processes for securing and sharing data under review, and to be ready to implement additional safeguards where merited by the sensitivity of specific data." ®

https://www.theregister.com//2023/12/13/mod_bcc_email_fine/