A Ministry of Defence official revealed confidential information by leaving a laptop open on a train in another Afghan data breach, The Independent can reveal, as new documents reveal a string of government blunders which have put confidential information into the wrong hands.
An officially sensitive personal email relating to Afghans seeking safety in Britain was also accidentally sent to the Civil Service Sports & Social Club – a group for all civil service and public sector employees that has 140,000 members – in August 2023, records show.
The new details come after a catastrophic MoD data breach that potentially put thousands of Afghans who helped UK forces at risk from the Taliban. The major breach, which was discovered in August 2023 and led to thousands of Afghans being secretly relocated to the UK, only came to light earlier this year when The Independent and other media organisations fought to lift an unprecedented gagging order which had been put in place to cover it up.
The incidents are among 49 data breaches over the past four years from within the unit handling applications from Afghans wanting to flee the Taliban and come to the UK – with emails sent to the wrong people, insecure systems used and information accessed by the wrong employees.
In May 2024, a decision letter about a personal data incident was sent to the wrong person while, in June 2023, a so-called warm welcome letter, usually sent to Afghan families when they reach safety in the UK, was sent to the wrong email address.
Other examples included emails being sent to the wrong people, as well as an email sent to an applicant on the Afghan Relocations and Assistance Programme (Arap) resettlement scheme from a personal email address when the sender had logged out. There was also an incident of incorrectly downloading higher classification material and a case of officials wrongly accessing personal medical information.
In September 2023, there were also five instances of people using Whatsapp to share insecure personal data. In February of that year, the MoD also recorded inadvertent access to a flight manifest document. MoD chartered flights are often used to bring Afghans to safety in the UK.
Details of the data breaches emerged in a letter sent by the Ministry of Defence (MoD) to the Public Accounts Committee this month.
David Williams, the departmentâs top civil servant, detailed in a letter to MPs how personal data of Afghan applicants to the MoDâs resettlement scheme had been sent to the wrong people, shared on insecure systems and accessed by the wrong employees.
He admitted that the February 2022 breach, which saw a member of MoD personnel erroneously email out a spreadsheet with 33,000 lines of data, was âfacilitated by the lack of appropriate systems to prevent or mitigate the errorâ. Mr Williams admitted that the MoD did not have secure case work or contact management systems in place.
The Arap scheme was set up in April 2021 after the Taliban takeover to help people who feared their lives were at risk because they had worked alongside the British in Afghanistan. The scheme was closed in July.
The scheme has been beset by revelations of poor data security, potentially putting the lives of Afghans allies at risk of reprisals.
According to the MoDâs own records, five of 49 separate data breaches in the past four years at the unit handling relocation applications from Afghans seeking sanctuary in the UK were serious enough to have been reported to the data watchdog Information Commissioners Office (ICO).
The data incidents escalated to the watchdog ICO included the February 2022 spreadsheet breach, a serious of incidents where people had their details shared via email due to a failure to blind carbon copy recipients, and one breach related to a Microsoft Forms link.
In the case of the âblind copyâ breaches, the ICO fined the MoD ÂŁ350,000 for disclosing personal information of people seeking relocation to the UK. In one incident, the details of 265 people were inadvertently disclosed. Responding to the 2022 spreadsheet breach, which involved the data of 18,700 applicants to the Arap scheme, the ICO decided not to launch a formal investigation, saying that to do so would take away resources from other priorities.
Dame Chi Onwurah, chair of the science, innovation and technology committee, said: âLast week, my committee heard from the Information Commissioner about the data protection implications of the Afghan data breach. It was dismaying to hear that the ICO and successive administrations could have done more to ensure that government data practices were of a high enough standard to stop repeated data breaches from happening.
âThis mishandling of sensitive information is particularly alarming when we consider the digital security risks that may arise from the governmentâs plans for digital IDs.â
The MoD documents the number of data incidents referred to the regulator ICO each year in its annual report, including the number of people affected by these breaches. It decides whether to refer an incident to the ICO based on the perceived level of harm caused in each instance.
The MoD has declined to comment.
