Ministry of Defence

What happened

The ICO fined the Ministry of Defence £350,000 for a serious data breach involving the disclosure of personal information of Afghan nationals who had worked with and assisted UK forces in Afghanistan. In September 2021, an email was sent to a distribution list of Afghan nationals who had applied for relocation to the UK under the Afghan Relocations and Assistance Policy (ARAP). The email, sent using CC rather than BCC, exposed the email addresses — and in some cases names and profile pictures — of 245 individuals, some of whom were still in Afghanistan after the Taliban takeover. This put individuals at direct risk of harm. A second similar email breach occurred shortly afterwards, affecting 55 individuals.

Articles violated

Lessons learned

When emailing groups of individuals, BCC must always be used to prevent disclosure of recipients' identities. This is especially critical when recipients may be at physical risk. Organizations handling sensitive data about vulnerable populations must implement technical controls to prevent mass CC disclosures, such as email list management tools. Staff training on email security is essential. The severity of potential harm to data subjects is a key factor in enforcement — breaches that endanger lives attract the highest scrutiny.