MoD official left sensitive data open on laptop on train in another Afghan breach
A Department of Defense official left his laptop open on a train, revealing classified information in another Afghan data breach. Independent It could come to light as new documents reveal a series of government errors that led to private data falling into the wrong hands.
An official document outlining dozens of data breaches from within the unit, which handles applications from Afghans wanting to flee the Taliban to come to the UK, describes how a “laptop screen” was left “in plain sight on {a} train” during an incident in March 2023.
An officially sensitive personal email regarding such Afghans was also mistakenly sent to the Civil Service Sports and Social Club, a group of all civil service and public sector employees with 140,000 members, in August 2023, records show.
The new details follow a devastating Ministry of Defense data breach that left thousands of Afghans assisting UK forces at risk from the Taliban. The massive breach, which was discovered in August 2023 and led to thousands of Afghans being secretly resettled in the UK, was revealed earlier this year. Independent and other media outlets fought to lift an unprecedented gag order put in place to cover up the incident.
The incidents are among 49 data breaches over the past four years at the unit, which handles applications from Afghans seeking to flee the Taliban to come to the UK; emails sent to the wrong people, unsecured systems used and information accessed by the wrong employees.
In May 2024, a decision letter regarding the personal data incident was sent to the wrong person, while in June 2023, a so-called warm welcome letter usually sent to Afghan families once they reached safety in the UK was sent to the wrong email address.
Other examples included emails sent to the wrong people, as well as an email sent to an applicant under the Afghan Relocation and Assistance Policy (Arab) resettlement scheme from a personal email address when the sender checked out. There have also been incidents of higher classification material being incorrectly downloaded and authorities inadvertently gaining access to personal medical information.
In September 2023, there were five more people using WhatsApp to share personal data. In February of the same year, the Ministry of Defense also noted that a flight manifest document had been accessed inadvertently. Ministry of Defense charter flights are frequently used to bring Afghans to safety in the UK.
Details of the data breaches were revealed in a letter sent by the Ministry of Defense (MoD) to the public accounts committee this month.
In a letter to MPs, the department’s top official, David Williams, detailed how personal data of Afghan applicants applying for the Ministry of Defense’s resettlement scheme was sent to the wrong people and accessed by the wrong employees.
He admitted that the February 2022 breach, in which a member of the Department of Defense staff mistakenly emailed a spreadsheet containing 33,000 rows of data, was “facilitated by the lack of appropriate systems to prevent or mitigate the error.” Mr. Williams admitted that the Department of Defense did not have secure casework or contact management systems in place.
The Arab scheme was established in April 2021, after the Taliban took over, to help people who feared their lives were at risk because they were working with the British in Afghanistan. The program was closed in July.
The plan is beset by revelations of poor data security, potentially putting the lives of Afghan allies at risk.
According to the Ministry of Defence’s own records, five of 49 separate data breaches over the past four years at the unit that handles relocation applications from Afghans seeking asylum in the UK were serious enough to be reported to the data watchdog the Information Commissioner’s Office (ICO).
Data incidents reported to the watchdog ICO included the spreadsheet breach in February 2022, a series of incidents where people’s details were shared via email to blind carbon copy recipients due to a glitch, and a breach related to a Microsoft Forms link.
In the case of “blind copying” breaches, the ICO fined the Ministry of Defense £350,000 for disclosing personal information of people looking to move to the UK. In one incident, the information of 265 people was accidentally disclosed. Responding to the 2022 spreadsheet breach containing data of 18,700 applicants to the Arab program, the ICO decided not to launch a formal investigation, saying doing so would take away resources from other priorities.
Dame Chi Onwurah, chair of the science, innovation and technology committee, said: “Last week, my committee heard from the information commissioner about the data protection implications of the Afghan data breach. “It was appalling to hear that the ICO and successive administrations could have done more to ensure government data practices were of a high enough standard to prevent repeated data breaches.
“Given the digital security risks that may arise from the government’s digital identity plans, this misuse of sensitive information is particularly concerning.”
The MoD documents the number of data incidents escalated to the regulator ICO each year in its annual report, including the number of people affected by these breaches. It decides whether to refer an incident to the ICO based on the perceived level of harm caused in each case.
The MoD declined to comment.
