LONDON: A UK defense official revealed sensitive personal information related to Afghans fleeing the Taliban when he left his laptop screen in public view on a train.
The incident was among dozens of data security breaches involving the Ministry of Defence unit handling the relocation of people who had worked alongside British forces during the war in Afghanistan.
In another blunder, an email containing sensitive data from the program was accidentally sent to a civil service sports and social club.
The breaches are among 49 incidents that have come to light in the fallout from a massive MoD data breach in 2022 when a spreadsheet containing details of almost 19,000 Afghans fleeing the Taliban was inadvertently leaked.
Those listed were applying under the Afghan Relocations and Assistance Policy set up just a few months before the Taliban captured Kabul.
Dozens of Afghans whose identities were contained in the leak said they have had family members or colleagues killed as a result of the data breach, according to research published this week.
The BBC reported in August that the leak was far from an isolated data security failure at the unit, revealing that there had been 49 separate incidents over four years.
Details of each of those incidents were revealed in a letter sent from a ministry civil servant to the parliament’s public accounts committee this month and reported by The Independent on Thursday.
The train incident in March 2023 involved an official ministry laptop screen displaying personal data being left in view of other passengers.
A decision letter about a personal data incident was sent to the wrong person in May 2024 and the following month, a letter meant to welcome an Afghan family after reaching safety in the UK was sent to the wrong email address.
Other incidents included insecure systems being used and sensitive information being accessed by the wrong employees.
Only five of the incidents were considered serious enough to be reported to the Information Commissioner’s Office, the UK’s data privacy watchdog.
The ICO decided not to launch a formal investigation into the February 2022 leak.
John Edwards, the UK information commissioner, told the science, innovation and technology committee last week that the ICO had relied on the “honesty” of the MoD when choosing not to investigate.
Dame Chi Onwurah, the committee’s chair, told The Independent: “Last week, my committee heard from the information commissioner about the data protection implications of the Afghan data breach. It was dismaying to hear that the ICO and successive administrations could have done more to ensure that government data practices were of a high enough standard to stop repeated data breaches from happening.”
In the letter to the public accounts committee revealing the details of the 49 breaches, Defense Ministry civil servant David Williams described how the department had moved to improve data protection practices since the February 2022 leak.
He said the leak happened “as a result of the lack of appropriate systems and the pressure of an ongoing evacuation operation.”
