MoD data breach ‘put lives of Afghan interpreters at risk’

The blunder exposed the email addresses of 250 interpreters seeking relocation

The Ministry of Defence (MoD) has launched an investigation following a data leak in which the identities of more than 250 Afghan interpreters may have been compromised.

An email the MoD sent to interpreters who had worked for the British forces and were seeking refuge, after the Taliban seized control of the county last month, included the addresses of all recipients, according to BBC News

Although many of these individuals are in hiding, their email addresses could be seen by everyone in the chain, as well as people’s names and profile pictures in some cases.

The email was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (Arap), which has been in touch with these interpreters since the Taliban took over. The message advised those still stranded that the organisation was working to extract them, advising them not to leave their current location if it wasn’t safe to do so.

The MoD sent another email 30 minutes later with the title “Urgent - Arap case contact” which acknowledged the error and asked recipients to delete their previous email, suggesting their details may have been compromised. 

Related Resource

Challenging the rules of security

Protecting data and simplifying IT management with Chrome OS

Whitepaper front coverFree download

“An investigation has been launched into a data breach of information from the Afghan Relocations Assistance Policy team,” an MoD spokesperson said, according to the Guardian. “We apologise to everyone impacted by this breach and are working hard to ensure it does not happen again.

“The Ministry of Defence takes its information and data handling responsibilities very seriously.”

The shadow defence secretary told the newspaper that this breach has “needlessly put lives at risk”, adding the priority should be to step up efforts to relocate these individuals.

This is the latest public sector blunder caused by misuse of the ‘cc’ and ‘bcc’ fields when sending sensitive messages to large groups of people. 

Last year, for example, an employee from outsourcing giant Serco accidentally pasted the email addresses of 300 contact tracers into the bcc field when sending a message. 

In 2018, the Independent Inquiry Into Child Sexual Abuse (IICSA) was fined £200,000 for leaking the personal data of possible abuse victims. In this case, a staff member inadvertently sent a mass email to 90 participants by copying their emails into the ‘to’ field rather than the ‘bcc’ field. 

A couple of years before that, the NHS was fined £180,000 for leaking the personal details of HIV patients in 2015. A similar blunder saw the details of 780 clinic attendees with the 56 Dean Street clinic in Soho leaked in an email.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download


Senator reintroduces federal data protection bill
data protection

Senator reintroduces federal data protection bill

17 Jun 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
What is single sign-on (SSO)?
single sign-on (SSO)

What is single sign-on (SSO)?

2 Dec 2021