The UK defence ministry has been fined GBP350,000 ($440,000) for disclosing personal information of 265 Afghans seeking to flee the Taliban, a data watchdog announced on Wednesday.
“This deeply regrettable data breach let down those to whom our country owes so much,” said UK data commissioner John Edwards.
The error saw the email addresses of hundreds of people, including Afghan interpreters potentially eligible for relocation to Britain, openly included in the “to” field, rather than blind copied.
It first came to light in September 2021, soon after the Taliban takeover of Afghanistan, and the chaotic efforts to evacuate vulnerable people from the country.
Ben Wallace, who was defence minister at the time, apologised and disclosed that one official had been suspended.
Britain’s Afghanistan evacuation plan has been widely criticised, with the government accused by MPs of “systemic failures of leadership, planning and preparation”.
Hundreds of Afghans eligible for relocation were left behind, many with their lives potentially at risk after details of staff and job applicants were left at the abandoned British embassy in Kabul.
In his ruling, Edwards said “very challenging” conditions on the ground and fast-paced decision-making were no excuse for not protecting personal information.
Those affected “were vulnerable to reprisal and at risk of serious harm,” he added. “When the level of risk and harm to people heightens, so must the response.”
A total of 245 people had their details inadvertently disclosed, 55 of whom had thumbnail pictures on their email profiles.
Two people “replied all” to all recipients and one included their location, Edwards’ office said.
“The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life,” it added in a statement.
Recipients were told to delete the email, change their email address and tell the team in charge of relocations of their new details via a secure form.
Two other data breaches were discovered during the investigation. A total of 265 people were affected in all three incidents.
In response, the Ministry of Defence acknowledged the seriousness of the breach and said it had overhauled its procedures.
The ICO said it reduced the fine from GBP1,000,000 to GBP700,000 because of the MoD’s immediate response to the error, then cut it further as it is a public body.