A major security scandal is shaking the British Ministry of Defence: highly sensitive information about Afghans who collaborated with British forces and wanted to escape from the Taliban has been exposed due to the negligence of employees, including leaving a laptop open on a train and mistakenly sending official emails.
In the past four years, 49 security breaches have been discovered within the unit handling Afghan relocations, some putting the lives of applicants in danger. In one case, the ministry was fined £350,000 for the unauthorized disclosure of personal data.
Documents obtained by The Independent show that, in addition to individual negligence, the ministry sent sensitive emails to the wrong recipients, used insecure communication channels, and allowed unauthorized access to personal data.
These revelations come after a catastrophic data breach at the UK Ministry of Defence, endangering thousands of Afghans who had collaborated with British forces. The major incident, discovered in August 2023, led to the secret relocation of thousands of individuals to the UK but was kept hidden from the public by a court-ordered censorship until earlier this year, following pressure from the press.
Dozens of Security Breaches
According to documents describing these incidents, in March 2023, "the screen of a laptop" was left "in plain sight on a train."
In August 2023, another sensitive official email concerning Afghan citizens was mistakenly sent to the Civil Service Sports & Social Club, an association that brings together 140,000 public sector employees.
In May 2024, a letter containing personal data was wrongly sent, and in June 2023, a "welcome letter" intended for Afghan families who had safely arrived in the UK was sent to the wrong address.
Other errors included sending an email from a personal address to an applicant under the ARAP program (Afghan Relocations and Assistance Policy), incorrect downloading of classified documents, and illegal access to the medical information of individuals.
In September 2023, five cases were identified where employees used WhatsApp to distribute personal data, and in February of the same year, the Ministry recorded the accidental access of a passenger list for a charter flight - such flights being used to safely bring Afghans to the UK.
Details of these incidents were reported in a letter to the UK Parliament's Public Accounts Committee. In the document, David Williams, the ministry's top civil servant, admits that personal data of Afghan applicants were sent to the wrong recipients and accessed without authorization.
He acknowledged that the breach in February 2022, when a Ministry of Defence employee mistakenly sent a full Excel file with confidential data, was "facilitated by the lack of adequate systems to prevent or mitigate errors." Williams admitted that the Ministry did not have a secure system for managing cases or contacts.
The ARAP program, created in April 2021 after the Taliban takeover, aimed to help Afghans whose lives were threatened due to collaboration with British troops. The scheme was marked by multiple data security issues, endangering the lives of former Afghan collaborators.
Ministry of Defence Fined £350,000
According to official data from the British Ministry of Defence, five of the 49 incidents were serious enough to be reported to the supervisory authority - Information Commissioner’s Office (ICO).
Among these were the incident with the file from February 2022, multiple cases of erroneously sending emails in BCC (blind copy) system, and an incident related to a Microsoft Forms link. For the information leak from BCC emails, ICO fined the Ministry of Defence £350,000 after personal data of 265 individuals were accidentally disclosed.
Regarding the 2022 file containing data of 18,700 ARAP applicants, ICO decided not to open a formal investigation, citing resource constraints.
"Last week, representatives of the Committee on Science, Innovation, and Technology discussed with the Information Commissioner the implications of the data breach in the Afghanistan case. It was disheartening to hear that ICO and successive administrations could have done more to ensure higher standards in government data protection," said Dame Chi Onwurah, head of the Committee on Science, Innovation, and Technology.
G.P.