UK's Ministry of Defence Fined £350,000 for Data Breach Exposing Afghan Evacuees

The breach, which revealed personal details of 245 Afghan nationals, could have posed a threat to life if fallen into the hands of the Taliban.

The UK's Ministry of Defence (MoD) has been fined £350,000 by the Information Commissioner's Office (ICO) for a data breach that exposed the personal details of Afghans eligible for evacuation.
The breach occurred when an email was sent to 245 Afghan nationals, revealing their email addresses to all recipients, with 55 having their thumbnail pictures associated with their email accounts.
Two recipients replied to all, with one revealing their location, increasing the potential risk if the information had fallen into the hands of the Taliban.
The MoD conducted an internal investigation following the breach, revealing two similar incidents had occurred earlier in September 2021.
The MoD has since updated its email policies and processes, including implementing a 'second pair of eyes' policy for emails sent to multiple external recipients.