Ministers have agreed to pay £1.6 million in compensation after a data breach exposed the personal information of Afghan nationals seeking to flee the Taliban takeover.
The Ministry of Defence (MoD) has already been fined £350,000 over the breach, which saw the details of 265 people mistakenly copied into emails sent by the Government in September 2021.
Announcing the fine in December 2023, the Information Commissioner’s Office (ICO) said the breach could have led to a “threat to life” if the data had fallen into the hands of the Taliban.
In a written statement to Parliament on Friday, armed forces minister Luke Pollard said the MoD had agreed to pay up to £4,000 to each person affected, with the total cost expected to be “in the region of £1.6 million”.
Mr Pollard said he could not “undo past mistakes”, but sought to reassure MPs that he would “drive improvement in the department’s data handling training and practices”.
He added: “Defence’s record on these topics must improve and I am determined to ensure it does.”
The breach involved the MoD’s Afghan Relocations and Assistance Policy (Arap), which was responsible for relocating Afghan nationals who had worked for or with the UK Government and were therefore at risk of reprisals once the Taliban returned to power in Kabul.
In its ruling, the ICO found Arap had not taken steps to prevent personal information being disclosed, which came to light after two people “replied all” to an email, with one providing their location to the entire distribution list.
The original email was sent on September 20 2021 to vulnerable people left behind after the British airlift from Kabul.
The MoD then launched an internal investigation that revealed two similar breaches on September 7 and September 13 that year, the ICO said.
