The British Ministry of Defence (MoD) has been fined £350,000 by the Information Commissioner’s Office (ICO) for a data breach that exposed the personal details of Afghan citizens seeking to flee the Taliban. The breach occurred when the MoD sent an email to a list of eligible evacuees, mistakenly putting the email addresses of 245 individuals in the “To” field instead of using Bcc. Two recipients then replied to all, one of whom disclosed their location. The ICO described the breach as “egregious” and highlighted the potential threat to life if the data fell into the hands of the Taliban. The MoD subsequently sent a follow-up email, correctly using Bcc, to rectify the situation.
An internal investigation revealed two similar data breaches by the MoD, with a total of 265 unique email addresses exposed. The ICO’s investigation found that the MoD did not have proper procedures in place to ensure secure group emails and had not provided specific guidance on the security risks associated with such emails. After representations from the MoD, the ICO reduced the fine from one million pounds to £350,000. The information commissioner, John Edwards, emphasized the importance of protecting people’s information, particularly when they are vulnerable and at risk of serious harm. He stated that the consequences of data breaches could be life-threatening and that organizations must be prepared to prevent such incidents.
The failure to use Bcc has caused data breaches in various organizations in the past, including the US Marshals, an inquiry into child sexual abuse, security awareness companies, and even the Dutch Data Protection Authority. This highlights the importance of using secure communication practices and being aware of the potential risks associated with sending group emails.
1. The British MoD has been fined £350,000 by the ICO for a data breach that exposed the personal details of Afghan citizens seeking to flee the Taliban.
2. The breach occurred due to a Cc/Bcc blunder, with email addresses of 245 individuals being exposed in the “To” field.
3. The ICO described the breach as “egregious” and highlighted the potential threat to life if the data fell into the wrong hands.
4. The MoD conducted an internal investigation and found two similar data breaches, resulting in a total of 265 unique email addresses being exposed.
5. The ICO emphasized the importance of protecting people’s information and stated that the consequences of data breaches could be life-threatening.