A Ministry of Defence official revealed confidential information by leaving a laptop open on a train in another Afghandata breach, The Independent can reveal, as new documents uncover a string of government blunders which have put private data in the wrong hands.
An official document outlining dozens of data breaches from within the unit handling applications from Afghans wanting to flee the Taliban and come to the UK describes how a “laptop screen” was left “in view on {a} train” during an incident in March 2023.
An officially sensitive personal email relating to such Afghans was also accidentally sent to the Civil Service Sports & Social Club – a group for all civil service and public sector employees that has 140,000 members – in August 2023, records show.
The new details come after a catastrophic MoD data breach that potentially put thousands of Afghans who helped UK forces at risk from the Taliban. The major breach, which was discovered in August 2023 and led to thousands of Afghans being secretly relocated to the UK, only came to light earlier this year when The Independent and other media organisations fought to lift an unprecedented gagging order which had been put in place to cover it up.
The incidents are among 49 data breaches over the past four years from within the unit handling applications from Afghans wanting to flee the Taliban and come to the UK – with emails sent to the wrong people, insecure systems used and information accessed by the wrong employees.
In May 2024, a decision letter about a personal data incident was sent to the wrong person, while in June 2023, a so-called warm welcome letter, usually sent to Afghan families when they reach safety in the UK, was sent to the wrong email address.
Other examples included emails being sent to the wrong people, as well as an email sent to an applicant on the Afghan Relocations and Assistance Policy (Arap) resettlement scheme from a personal email address when the sender had logged out. There was also an incident of incorrectly downloading higher classification material and a case of officials wrongly accessing personal medical information.
In September 2023, there were also five instances of people using WhatsApp to share personal data. In February of that year, the MoD also recorded inadvertent access to a flight manifest document. MoD chartered flights are often used to bring Afghans to safety in the UK.
Details of the data breaches emerged in a letter sent by the Ministry of Defence (MoD) to the public accounts committee this month.
David Williams, the department’s top civil servant, detailed in a letter to MPs how personal data of Afghan applicants to the MoD’s resettlement scheme had been sent to the wrong people and accessed by the wrong employees.
He admitted that the February 2022 breach, which saw a member of MoD personnel erroneously email out a spreadsheet with 33,000 lines of data, was “facilitated by the lack of appropriate systems to prevent or mitigate the error”. Mr Williams admitted that the MoD did not have secure case work or contact management systems in place.
The Arap scheme was set up in April 2021 after the Taliban takeover to help people who feared their lives were at risk because they had worked alongside the British in Afghanistan. The scheme was closed in July.
The scheme has been beset by revelations of poor data security, potentially putting the lives of Afghan allies at risk.
According to the MoD’s own records, five of 49 separate data breaches in the past four years at the unit handling relocation applications from Afghans seeking sanctuary in the UK were serious enough to have been reported to the data watchdog, the Information Commissioner’s Office (ICO).
The data incidents escalated to the watchdog ICO included the February 2022 spreadsheet breach, a series of incidents where people had their details shared via email with blind carbon copy recipients due to a failure, and one breach related to a Microsoft Forms link.
In the case of the “blind copy” breaches, the ICO fined the MoD £350,000 for disclosing personal information of people seeking relocation to the UK. In one incident, the details of 265 people were inadvertently disclosed. Responding to the 2022 spreadsheet breach, which involved the data of 18,700 applicants to the Arap scheme, the ICO decided not to launch a formal investigation, saying that to do so would take away resources from other priorities.
Dame Chi Onwurah, chair of the science, innovation and technology committee, said: “Last week, my committee heard from the information commissioner about the data protection implications of the Afghan data breach. It was dismaying to hear that the ICO and successive administrations could have done more to ensure that government data practices were of a high enough standard to stop repeated data breaches from happening.
“This mishandling of sensitive information is particularly alarming when we consider the digital security risks that may arise from the government’s plans for digital IDs.”
The MoD documents the number of data incidents referred to the regulator ICO each year in its annual report, including the number of people affected by these breaches. It decides whether to refer an incident to the ICO based on the perceived level of harm caused in each instance.
The MoD has declined to comment.
