MoD reported seven data incidents to the ICO between 2020 and 2021

The Ministry of Defence (MoD) formally reported seven data incidents to the Information Commissioner’s Office (ICO) between 2020 and 2021, the department's Annual Report and Accounts have revealed.

The most serious case involved an email account associated with MoD Schools - the institutions in place to provide education to the children of service personnel, mainly overseas - being compromised for a 72-hour period. During this time, details of students and parents were disclosed and affected 4,142 people. The ICO provided guidance in response and determined no further action was necessary, it told IT Pro.

A total of 4,331 individuals were affected by the combined seven incidents, the vast majority of which were those involved in the MoD School-related incident.

In another case, one individual emailed personal data, including identities and home addresses of MoD personnel, to external organisations and international media outlets, affecting a total of 147 individuals. The case was already being investigated by the Military Police and the ICO did not intervene.

A number of social media-based incidents also occurred involving one incident in which images from an incident logbook were posted to social media. The images were of an individual’s injuries, how they were sustained, and details of the affected individual.

Another individual also posted MoD documents to a closed social media group. These documents contained details of cadets and adult volunteers, affecting 30 people.

A separate incident saw an unredacted copy of criminal allegations incorrectly passed to the accused in administrative action. Affecting five people, the copy of allegations included the identity of the victim and details of the associated witness statements. ICO enquiries are ongoing, it told IT Pro.

The final incident involved one person’s name and location details mistakenly published to the House of Commons website as a result of submitting a question to their MP.

The ICO said it was made aware of all seven cases and in most instances, it simply provided the MoD with guidance without further investigation necessary.

"We take the security of MOD personnel, systems and establishments very seriously," said an MoD spokesperson to IT Pro. "As soon as these incidents were reported, their severity was assessed and passed to the Information Commissioner’s Office in line with our obligations under the law.

"The Information Commissioner’s Office has not raised any concerns about MOD’s handling of these incidents."

Commenting on the news, Donal Blaney, founder of Griffin Law, said: “Our courageous soldiers, sailors and air force personnel are willing to sacrifice their lives – often working under cover and in extreme conditions – so we can live in safety and freedom.

“The least the Ministry of Defence could do is keep these brave heroes’ personal data safe and secure. Instead, their identities, and potentially the safety of their families and friends, have been put at risk by superannuated MoD pen pushers who are not fit to lick their boots. The Information Commissioner needs to investigate these breaches and bring those responsible to justice.”

The MoD’s data controller specified an additional 552 incidents that occurred within the department but didn’t meet the criteria for reporting to the ICO, representing a slight increase in cases from the 546 reported in 2019-20.

Most recent incidents included cases of inadequately protected electronic equipment or paper documents from in and outside government premises being lost, insecure disposal of inadequately protected paper documents, and other cases of unauthorised disclosure of data.

Details of a ‘record number’ of security breaches at the Ministry of Defence was revealed earlier in 2021 after a number of heavily redacted documents were handed to Sky News.

The information gleaned from the redacted documents did not match up with the aforementioned incidents as reported in the latest Annual Report and Accounts from the MoD but did reveal secret information belonging to the department was exposed to hostile states.

Other incidents involved data sent to an unauthorised domain, potential compromises to MoD-owned systems, misconfigured infrastructure and more.

Speaking at the time, an MoD spokesperson said: “The MoD takes the security of its personnel, systems and establishments very seriously and continually seek to improve security incident reporting.

“We have recently introduced policy, processes and tools to make internal and external reporting easier and more efficient, and the increase in reports can be largely attributed to these improvements.”

In September 2021, an MoD data breach within the Afghan Relocations and Assistance Policy team also saw the lives of Afghan interpreters put at risk after the Taliban seized control of the country a month earlier.

Many of the individuals affected were hiding at the time, but their names emails and, in some cases, pictures were included in an email sent without concealing the full recipient lists' identities. Around 250 people were thought to be affected by the incident.