Despite the significant number of data breaches by banks, telecommunications companies, the civil service and others, none have caused such a sharp intake of breath as the MOD’s recent admission that it inadvertently released the email addresses of 250 Afghan interpreters, many of whom were already in hiding from the Taliban.
This data breach is not just sensitive but potentially fatal for those involved. Although the Secretary of State was reported to be livid, all the MOD could do was to initiate a damage limitation exercise, suspend the official believed to be responsible, and launch an investigation.
A day later, a second MOD data breach came to light. It appears that details of a further 55 Afghan citizens, who might be eligible for relocation to the UK under the Afghan Relocation and Assistance Policy, were mistakenly made public in an email.
There are justifiable fears that the two data breaches could endanger lives if the Taliban obtained the personal information the emails contained.
The shadow defence secretary has said “clearly, the defence secretary needs to get his house in order.” The MOD has announced that an investigation into the second data breach has also been launched.
Data protection protects lives
In response to questioning in the House of Commons, Ben Wallace noted: “The modern rules that govern information security are, I believe, fit for purpose, it’s really about the training and the following and the adherence of it that must be improved.” This statement counters criticism that much of the data protection regulation introduced in 2018, under the auspices of the GDPR, amounted to an excess of red tape. The MOD’s data breaches are tragic examples of why the principles underpinning data protection legislation are vital and that every organisation handling data must ensure its employees are properly trained to avoid breaches. These breaches hammer home the importance of keeping data secure, given the potential, catastrophic consequences in these circumstances.
Data breaches: ‘a significant negative effect’
The ICO website provides plenty of detail around the duty to prevent a data breach and how to recognise and respond to a breach, whether accidental or deliberate. It defines a personal data breach as: “… as a security incident that has affected the confidentiality, integrity or availability of personal data." In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed if someone accesses the data or passes it on without proper authorisation. It also emphasises that the “focus of risk regarding breach reporting is on the potential negative consequences for individuals.”
Data protection training is critical
Unfortunately, although all the affected individuals have been told about the breaches and advised that their emails had been compromised, several had already responded to the original email having not noticed that their email address was visible to all. All respondents were told to change their email address but for some, this may have been too little, too late.
Many of the data breaches that have come to light, particularly those revealing sensitive financial information, have been the result of a technological glitch or a deliberate act as part of a hacking attack. The fact that these breaches appear to have been the result of human error serves to re-emphasise the critical importance of comprehensive training for all staff: even if lives are not at stake, as in these breaches, the accidental release of sensitive information will compromise the ‘rights and freedoms’ of those affected.
Our online lives are vulnerable
With so much detail about our lives now automated, the potential for information to go astray is only too easy. Electronic information is, by its very nature, vulnerable – it only takes an incorrect keystroke to cause a catastrophic data breach. The MOD’s data breaches, and their grave consequences, should serve as a wake up call to us all – data protection must be taken seriously.
We regularly advise businesses on how to comply with data protection law. Many companies find a data protection audit is an excellent way to assess how robust their data protection processes are: please get in touch if you would like to discuss how such an audit can help your organisation.