The Ministry of Defence (MoD) has launched an investigation following a data leak in which the identities of more than 250 Afghan interpreters may have been compromised.
An email the MoD sent to interpreters who had worked for the British forces and were seeking refuge, after the Taliban seized control of the county last month, included the addresses of all recipients, according to BBC News.
Although many of these individuals are in hiding, their email addresses could be seen by everyone in the chain, as well as people’s names and profile pictures in some cases.
The email was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (Arap), which has been in touch with these interpreters since the Taliban took over. The message advised those still stranded that the organisation was working to extract them, advising them not to leave their current location if it wasn’t safe to do so.
The MoD sent another email 30 minutes later with the title “Urgent - Arap case contact” which acknowledged the error and asked recipients to delete their previous email, suggesting their details may have been compromised.
Challenging the rules of security
Protecting data and simplifying IT management with Chrome OS
“An investigation has been launched into a data breach of information from the Afghan Relocations Assistance Policy team,” an MoD spokesperson said, according to the Guardian. “We apologise to everyone impacted by this breach and are working hard to ensure it does not happen again.
“The Ministry of Defence takes its information and data handling responsibilities very seriously.”
The shadow defence secretary told the newspaper that this breach has “needlessly put lives at risk”, adding the priority should be to step up efforts to relocate these individuals.
This is the latest public sector blunder caused by misuse of the ‘cc’ and ‘bcc’ fields when sending sensitive messages to large groups of people.
Last year, for example, an employee from outsourcing giant Serco accidentally pasted the email addresses of 300 contact tracers into the bcc field when sending a message.
In 2018, the Independent Inquiry Into Child Sexual Abuse (IICSA) was fined £200,000 for leaking the personal data of possible abuse victims. In this case, a staff member inadvertently sent a mass email to 90 participants by copying their emails into the ‘to’ field rather than the ‘bcc’ field.
A couple of years before that, the NHS was fined £180,000 for leaking the personal details of HIV patients in 2015. A similar blunder saw the details of 780 clinic attendees with the 56 Dean Street clinic in Soho leaked in an email.
