The UK Ministry of Defence (MoD) disclosed **49 data breaches** tied to its **Afghan Relocations and Assistance Policy (ARAP)** and related schemes for Afghan nationals who aided UK forces. The most severe incident—a **February 2022 spreadsheet error**—exposed **18,700 Afghans’ personal data**, including those seeking UK resettlement after the Taliban’s return. The breach, concealed under a super-injunction until July 2025, incurred **£850M+ in mitigation costs** and risked endangering lives by revealing identities to hostile actors. Other breaches included: - **Blind carbon copy (BCC) failures** (3 incidents, £350K ICO fine), exposing email recipients’ identities. - **WhatsApp messages** with insecure personal data. - **Misdirected emails** (e.g., sent to the *Civil Service Sports Club* or with incorrect classification levels). - **Physical exposure**: An **MODNET laptop screen** displaying sensitive data on public transport. - **Microsoft Forms incident** (October 2021), further compromising data. Only **5 of 49 incidents** were reported to the ICO, though the watchdog accepted the MoD’s risk assessments. The breaches stemmed from **operational negligence** during high-stakes relocation efforts, heightening risks for vulnerable Afghan allies. The **Defence Select Committee** is investigating the 2022 breach under a broader inquiry.
TPRM report: https://www.rankiteo.com/company/uk-ministry-of-defence
"id": "uk-5762957102325",
"linkid": "uk-ministry-of-defence",
"type": "Breach",
"date": "10/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Afghan nationals under ARAP and '
'Afghanistan Locally Employed '
'Staff Ex-Gratia Scheme (~18,700 '
'in spreadsheet error; total '
'across 49 incidents '
'unspecified)',
'industry': 'Defence/Public Sector',
'location': 'United Kingdom',
'name': 'UK Ministry of Defence (MoD)',
'type': 'Government Ministry'},
{'customers_affected': '~18,700 (spreadsheet error) + '
'unknown additional in other '
'incidents',
'location': 'Afghanistan/UK',
'name': 'Afghan Relocations and Assistance Policy '
'(ARAP) Applicants',
'type': 'Individuals'},
{'location': 'Afghanistan/UK',
'name': 'Afghanistan Locally Employed Staff Ex-Gratia '
'Scheme Participants',
'type': 'Individuals'}],
'attack_vector': ['Human Error (BCC misconfiguration)',
'Improper Data Storage (spreadsheet error)',
'Insecure Communication (WhatsApp messages)',
'Misclassified Emails',
'Physical Exposure (laptop screen visibility)'],
'data_breach': {'file_types_exposed': ['Spreadsheets (e.g., February 2022 '
'incident)',
'Emails (BCC incidents)',
'WhatsApp messages',
'Microsoft Forms submissions'],
'number_of_records_exposed': '~18,700 (spreadsheet error) + '
'unknown in other incidents',
'personally_identifiable_information': 'Yes (names, contact '
'details, relocation '
'status)',
'sensitivity_of_data': 'High (personal data of at-risk '
'individuals; potential '
'life-threatening consequences if '
'exposed to Taliban)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII) of Afghan '
'nationals',
'Relocation/assistance '
'application details',
'Contact information (emails, '
'phone numbers)',
'Official sensitive data '
'(displayed on laptop)']},
'date_detected': ['2021-10-08 (Microsoft Forms incident)',
'2022-02 (spreadsheet error, discovered in 2023-08)',
'2021 (multiple BCC incidents)',
'Various dates for 44 other unreported incidents'],
'date_publicly_disclosed': ['2023-07 (spreadsheet error super-injunction '
'lifted)',
'2023-10-07 (letter to MPs published by PAC on '
'2023-11)'],
'description': 'The UK Ministry of Defence (MoD) disclosed 49 data breaches '
'related to its handling of efforts to relocate Afghan '
'nationals who worked for the UK government. These breaches '
'included wrongful disclosure or inadequate security of '
'personal information, with incidents ranging from spreadsheet '
'errors to insecure WhatsApp messages and misclassified '
'emails. The most severe incident, a February 2022 spreadsheet '
'error affecting ~18,700 Afghans, was initially under a '
'super-injunction and had estimated mitigation costs of £850 '
'million. Only five incidents were reported to the Information '
"Commissioner’s Office (ICO), including three 'blind carbon "
"copy' (BCC) breaches that resulted in a £350,000 fine.",
'impact': {'brand_reputation_impact': 'High (public disclosure of failures in '
'protecting vulnerable Afghan allies; '
'scrutiny from MPs and media)',
'data_compromised': ['Personal information of Afghan nationals '
'(including ~18,700 in spreadsheet error)',
'Sensitive relocation/assistance data',
'Contact details (visible in BCC incidents)'],
'financial_loss': '£850 million (estimated mitigation cost for '
'spreadsheet error) + £350,000 (ICO fine for BCC '
'incidents)',
'identity_theft_risk': 'High (exposed personal data of at-risk '
'Afghan nationals)',
'legal_liabilities': ['£350,000 ICO fine for BCC incidents',
'Potential further fines/legal actions from '
'ongoing inquiries'],
'operational_impact': 'Ongoing parliamentary inquiries (Public '
'Accounts Committee, Defence Select '
'Committee); reputational damage to MoD and '
'UK government'},
'investigation_status': 'Ongoing (Defence Select Committee inquiry; PAC '
'follow-up)',
'post_incident_analysis': {'root_causes': ['Human error (failure to use BCC; '
'improper data handling)',
'Inadequate training on data '
'protection policies',
'Lack of technical safeguards '
'(e.g., email validation, data '
'classification enforcement)',
'Cultural issues (e.g., WhatsApp '
'use for sensitive communications)',
'Process failures (e.g., '
'spreadsheet access controls)']},
'references': [{'source': 'The Register'},
{'source': 'UK Parliament Public Accounts Committee'},
{'source': 'UK Ministry of Defence Letter to MPs '
'(2023-10-07)'}],
'regulatory_compliance': {'fines_imposed': '£350,000 (for BCC incidents)',
'legal_actions': ['Public Accounts Committee '
'inquiry (2023-09)',
'Defence Select Committee inquiry '
'(ongoing, launched 2023-11)',
'Potential further actions '
'pending inquiry outcomes'],
'regulations_violated': ['UK GDPR (General Data '
'Protection Regulation)',
'Data Protection Act 2018'],
'regulatory_notifications': '5 incidents reported '
'to ICO (including 3 '
'BCC incidents and '
'February 2022 '
'spreadsheet error)'},
'response': {'communication_strategy': ['Letter to MPs (2023-10-07, published '
'2023-11)',
'Public Accounts Committee evidence '
'session (2023-09)',
'Defence Select Committee inquiry '
'(ongoing)'],
'containment_measures': ['Super-injunction for spreadsheet error '
'(lifted in 2023-07)',
'ICO reporting for selected incidents',
'Internal reviews by MoD'],
'incident_response_plan_activated': 'Yes (internal '
'investigations; reporting '
'to ICO for 5 incidents)',
'remediation_measures': ['£850m allocated for mitigation of '
'spreadsheet error',
'Policy/process reviews (implied by '
'parliamentary inquiries)']},
'stakeholder_advisories': ['Letter from MoD Permanent Secretary David '
'Williams to MPs (2023-10-07)',
'Public Accounts Committee evidence session '
'(2023-09)',
'Defence Select Committee call for evidence '
'(closed 2023-11)'],
'title': "Multiple Data Breaches in UK Ministry of Defence's Afghan "
'Relocations and Assistance Policy (ARAP)',
'type': ['Data Breach',
'Unauthorized Disclosure',
'Improper Data Handling',
'Privacy Violation'],
'vulnerability_exploited': ['Lack of BCC usage in group emails',
'Inadequate access controls for sensitive '
'spreadsheets',
'Unsecured communication channels (WhatsApp)',
'Improper data classification procedures',
'Lack of physical security for sensitive data '
'display']}