Afghan Interpreters’ Data Exposed in MoD Breach
The United Kingdom’s Ministry of Defense has apologized for sending an email that exposed the data of more than 250 Afghan interpreters who worked for British forces.
The impacted interpreters are seeking to be relocated to the UK either from Afghanistan, where many are currently in hiding from the Taliban, which seized power in August, or from another country to which they have relocated.
The email – in which the interpreters’ email addresses, names, and some linked profile images were exposed – was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (ARAP) to Afghan interpreters who have either left Afghanistan or who remain in the country.
One of the email’s recipients told the BBC: “This mistake could cost the life of interpreters, especially for those who are still in Afghanistan. Some of the interpreters didn’t notice the mistake and they replied to all the emails already and they explained their situation which is very dangerous.”
The MoD has reportedly suspended an official and launched an investigation into the data breach, which UK defense secretary Ben Wallace has described as “unacceptable.”
An MoD spokesperson said: “We apologize to everyone impacted by this breach and are working hard to ensure it does not happen again.”
Commenting on ARAP’s failure to utilize the BCC email feature, Labour shadow defense secretary John Healey said: “We told these Afghans interpreters we would keep them safe, instead this breach has needlessly put lives at risk.”
Martin Jartelius, CSO at Outpost24, said that while this type of email-based data breach could easily occur, it was “sad and unnecessary in most organizations.”
“It’s so extremely easy to, by mistake and in stress, send an email with recipients listed openly instead of in BCC,” said Jartelius. “Still, for example, in the Office365 suite, there are solutions, of which the easiest to at least give an additional notice is the feature mail tips.
“Here you can set the flag to warn for ‘Large Audience,’ and even as an organization sets what [that] level is – the default is 25 if enabled. Organizations that do not want to make the same mistake can set a warning this way.”