The Ministry of Defence (MoD) has been fined £350,000 over an email blunder that exposed details of interpreters fleeing Afghanistan.
The 265 people affected had worked with the UK government – some were in hiding when the Taliban seized control.
Lives could have been at risk had data fallen into their hands, the data watchdog said.
The MoD said it recognised the severity of the breach, fully acknowledged the ruling and apologised to the victims.
The information commissioner, John Edwards said the error “let down those to whom our country owes so much”.
He added: “This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today,” he added.
The main breach was first revealed by the BBC in September 2021. It occurred when the Afghan relocations and assistance policy team (Arap) sent a mass email to 245 people who had worked with the UK government, who were eligible for evacuation. Most, but not all as interpreters.
Reply all
In the message, their addresses were put in the “to” field rather than the intended blind carbon copy (Bcc) field – meaning email addresses were visible to all recipients.
Further information about those trying to leave Afghanistan, including one person’s location, was then exposed when two people responded to the email by selecting “reply all”.
A MoD internal investigation found two similar incidents, bringing the total number of people affected to 265, the Information Commissioner’s Office said.
According to the ICO, the Bcc error is one of the top causes of data breaches.
‘Could have cost lives’
An interpreter affected by the breach, speaking in 2021, told the BBC the mistake “could cost the life of interpreters, especially for those who are still in Afghanistan.”
“Some of the interpreters didn’t notice the mistake and they replied to all the emails already and they explained their situation which is very dangerous. The email contains their profile pictures and contact details.”
Former defence secretary Ben Wallace said at the time it would be an understatement to say he had been angered by the breach.
The incident “let down the thousands of members of the armed forces and veterans,” Mr Wallace told the House of Commons in September 2021.
The ICO’s investigation into the breach found between August and September 2021, the MoD failed to comply with UK data protection requirements for technical processes to safeguard data.
It acknowledged the difficult circumstances under which the incident occurred but “when the level of risk and harm to people heightens, so must the response,” Mr Edwards said.
The watchdog said it had reduced an initial fine of £1m to £700,000 in recognition of the measures taken by the MoD to report the incident, limit its impact and the difficulties of the situation for teams handling the relocation of staff.
This was cut further to £350,000 as part of an ongoing effort by the ICO to reduce the impact of government fines on the public.
The MoD said it had “cooperated extensively” with the data watchdog to resolve the breach.
“We recognise the severity of what has happened. We fully acknowledge today’s ruling and apologise to those affected”, a spokesperson said.