The Ministry of Defence has admitted there have been 49 separate data breaches in the past four years at the unit handling relocation applications from Afghans seeking safety in the UK.<\/p>\n
Four out of the 49 breaches were already publicly known \u2013 including the leak in 2022 of a spreadsheet containing details of almost 19,000 people fleeing the Taliban.<\/p>\n
This mammoth data breach, which led to thousands of Afghans being secretly relocated to the UK, was only revealed last month after the High Court lifted a gagging order.<\/p>\n
It was described by the UK\u2019s information watchdog as a \u201cone-off occurrence following a failure to [follow] usual checks, rather than reflecting a wider culture of non-compliance\u201d.<\/p>\n
However, lawyers representing Afghans affected by data breaches said the new figures, released to the BBC under the Freedom of Information Act, raised concerns about a culture of lax security among those working on the resettlement scheme.<\/p>\n
The MoD has refused to provide any details of the nature of each breach but incidents which have previously been made public include officials inadvertently revealing the email addresses or other personal details of applicants to third parties.<\/p>\n
Adnan Malik, Head of Data Protection at Barings Law which represents hundreds of Afghans affected by the biggest of the breaches in February 2022, said: \u201cWhat began as an isolated incident, which the Ministry of Defence initially sought to keep from public view, has now escalated into a series of catastrophic failings.<\/p>\n
\u201cWe urge the Ministry of Defence to be fully transparent with both those affected and the wider public. Victims should not be forced to learn the truth through legal action or news reports.\u201d<\/p>\n
The Afghan Relocations and Assistance Policy (ARAP) was set up in April 2021 to help people who feared their lives were at risk because they had worked with British armed forces in Afghanistan and to resettle eligible applicants and their family members in the UK. It was closed in July this year.<\/p>\n
The scheme has been dogged by revelations about poor data security, potentially putting the lives of Afghans who worked with British forces at risk.<\/p>\n
In September 2021, BBC News revealed that more than 250 Afghans seeking relocation to the UK were mistakenly copied into an email from the Ministry of Defence, putting them at risk of reprisals.<\/p>\n
A total of 265 email addresses were shared in this way across three separate incidents that month, which ultimately led to a \u00a3350,000 fine from the watchdog.<\/p>\n
The breaches were \u201cintensely difficult and embarrassing for the government handling publicly\u201d, one defence source said.<\/p>\n
Ben Wallace, the then-defence secretary, expressed his personal anger at what had occurred, telling MPs: \u201cI am very keen that it is not just the poor person who drafts the email who is held to account, but the chain upwards, to ensure that this does not happen again.\u201d<\/p>\n
Two months after the incidents, in November 2021, the then Conservative government announced \u201csignificant remedial actions\u201d, including new data handling procedures and training as well as a new \u201ctwo pairs of eyes rule\u201d requiring any external email to an ARAP-eligible Afghan national be reviewed by a second member of staff before being sent.<\/p>\n
The government said the measures were taken to \u201cprevent such incidents occurring again\u201d.<\/p>\n
Instead, data breaches continued including, in February 2022, a potentially catastrophic leak which saw a soldier at Regent\u2019s Park barracks send a spreadsheet with what they believed to be a small number of applicants\u2019 names to trusted Afghan contacts.<\/p>\n
They did not realise that hidden data in the spreadsheet in fact contained the names, contact details and some information about family members and associates for nearly 19,000 people.<\/p>\n
When the leak was discovered some 18 months later, in August 2023, the then-Conservative government sought a gagging order to prevent details of the error being made public. The government successfully argued that lives were at risk and the Taliban would be alerted if an injunction wasn\u2019t granted.<\/p>\n
The super injunction which was imposed was not lifted until July this year.<\/p>\n
Jon Baines, a senior data protection specialist at the law firm Mishcon de Reya, said the new figures uncovered by the BBC show a \u201cremarkable number of data security incidents in relation to the ARAP scheme\u201d.<\/p>\n
\u201cIt is difficult to think of any information more sensitive than that which is involved with the scheme, and it baffles me why there were not better security measures in place,\u201d he added.<\/p>\n
Seven of the 49 data breaches were sufficiently serious to require MoD officials to notify data watchdog the Information Commissioner\u2019s Office (ICO).<\/p>\n
This includes three breaches \u2013 one in 2021, and two in 2022 \u2013 that have not been made public before.<\/p>\n
The ICO said it was limited in the amount of information it still held on those breaches and why it didn\u2019t take further action but that its work with the MoD was \u201congoing\u201d.<\/p>\n
\u201cWe continue to engage with the MoD, so we can be assured that they have made the required improvements,\u201d a spokeswoman said.<\/p>\n
The watchdog has not taken any action against the MoD over the large spreadsheet data breach which was previously subject to court-imposed reporting restrictions, arguing \u201cthere was little we could add in this case that would justify the further allocation of resource away from other priorities\u201d.<\/p>\n
Jon Baines said there were \u201cserious questions firstly as to whether the ICO should have conducted more in-depth investigations previously, and secondly, whether there is now an urgent need for more investigation.<\/p>\n
\u201cWhat assurance can we all have now that the MoD are properly protecting the highly sensitive personal data it is often entrusted with?\u201d, he added.<\/p>\n
A Labour government source blamed previous Conservative administrations for inadequate data protection measures and said new software has been introduced and other changes made since Labour came to power last year.<\/p>\n
\u201cCurrent ministers repeatedly highlighted the Tory mismanagement of data around the ARAP scheme while in opposition,\u201d the source said.<\/p>\n
\u201cSince last July, we\u2019ve brought in a host of new measures to improve data security and we\u2019ve made public the largest Afghan data breach which occurred under the previous government, to allow for parliamentary scrutiny and accountability.\u201d<\/p>\n
A Conservative Party spokesman said: \u201cThis data leak should never have happened and was an unacceptable breach of data protection protocols.<\/p>\n
The secretary of state for defence has issued an apology on behalf of the government, and Conservatives joined in that apology.<\/p>\n
\u201cWhen this breach came to light, the immediate priority of the then-government was to protect persons in the dataset.\u201d<\/p>\n
An MoD spokesperson said: \u201cWe take data security extremely seriously and are committed to ensuring that any incidents are dealt with properly, and that we follow our legal duties.<\/p>\n
\u201cAll incidents that meet the threshold under UK data protection laws are referred to the Information Commissioner\u2019s Office, and any lesser incidents are examined internally to ensure lessons are learned.\u201d<\/p>","protected":false},"excerpt":{"rendered":"
The Ministry of Defence has admitted there have been 49 separate data breaches in the past four years at the unit handling relocation applications from Afghans seeking safety in the UK. Four out of the 49 breaches were already publicly known \u2013 including the leak in 2022 of a spreadsheet containing details of almost 19,000 […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-120093","post","type-post","status-publish","format-standard","hentry","category-uncategorized","entry"],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/posts\/120093","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/comments?post=120093"}],"version-history":[{"count":0,"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/posts\/120093\/revisions"}],"wp:attachment":[{"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/media?parent=120093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/categories?post=120093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/tags?post=120093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}