2 days ago
Afghans in MoD data breach can claim £4,000 compensation
Afghans who had their 'lives put at risk' because of a data breach have been told they can claim up to £4,000 in compensation four years after the incident happened.
Human error resulted in the personal information of 265 Afghans who had worked alongside British troops being shared with hundreds of others who were on the same email distribution list in September 2021.
In December 2023 the UK information commissioner fined the Ministry of Defence (MoD) £350,000 and said the 'egregious' breach could have been life-threatening.
John Healey, who was shadow defence secretary, said in 2021: 'We told these Afghans interpreters we would keep them safe, instead this breach has needlessly put lives at risk.'
On Friday afternoon the MoD slipped out a statement to update MPs and the Afghans on the case, saying that Afghans were now entitled to compensation.
In a written ministerial statement, Lord Coaker said the MoD was taking a 'proactive' approach to the historical data-handling incident involving those who had applied to the Afghan Relocation and Assistance Policy (Arap) scheme in 2021.
He said the emails mistakenly made recipients' email addresses visible to all, instead of using the blind carbon copy function.
Coaker said the MoD would 'make good' on previous ministers' commitments to financially compensate those individuals affected. It was unclear why it had taken a year since Labour had entered government to arrange the payments.
He said: 'I can confirm to members the Ministry of Defence will be directly contacting those individuals who were affected by the data incident. Once a response is received and the affected individual's identity confirmed, a single ex-gratia payment of up to £4,000 per individual will be made.'
The total cost is expected to be in the region of £1.6 million. Lord Coaker said 'every effort will be made to ensure payments are made as quickly as reasonably practical'.
'I cannot undo past mistakes, but I wish to assure members that in my role, as minister for the armed forces, I intend to drive improvement in the department's data handling training and practices.
'[The Ministry of] Defence's record on these topics must improve and I am determined to ensure it does,' he added.
The UK information commissioner found previously that the department did not have the procedures in place to ensure group emails were sent securely to Afghans seeking relocation.
'This deeply regrettable data breach let down those to whom our country owes so much,' John Edwards, who was the UK information commissioner, said in 2023.
He said it was a 'particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes today'.
The Times reported in September 2021 how the MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the 'To' field, with personal information inadvertently disclosed.
The email addresses could be seen by all recipients, including the thumbnail pictures that 55 people had on their email profiles. Two people even 'replied all' to the entire list of recipients, with one of them providing their location.
The original email was sent by the team in charge of the Arap, which is responsible for assisting the relocation of Afghan citizens who worked for the UK government in Afghanistan. There were concerns at the time that the data disclosed could have fallen into the hands of the Taliban.
The Information Commissioner's Office said the team had relied on 'blind carbon copy' (bcc) when sending emails at the time, which carried a 'significant risk of human error'.
Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the Arap team of their new contact details via a secure form.
