��������

LONDON: More than 3,000 Afghans, British troops and government officials have had their personal data breached following a cyberattack, the UK’s Ministry of Defense has said.

Some of the victims may have had their information hacked for a second time, following the ministry’s high-profile Afghan data breach discovered in 2023, which was the subject of a superinjunction — preventing it from being publicly disclosed — until last month.

The 2023 breach exposed the identities of thousands of Afghans who had served alongside British forces as part of the multinational decade-long conflict against the Taliban. Many of them reported receiving threats after the leaked database was apparently discovered by Afghanistan’s Taliban rulers.

Following the latest incident, an alert was sent to about 3,700 affected people on Friday, The Times reported. They were told that their personal information had been breached, including name, date of birth and passport number.

The data was included in a record of information relating to evacuation flights from Afghanistan to England’s Stansted Airport between January and March 2024.

Inflite, a third-party subcontractor hired by the ministry, held the data. The firm suffered a ransomware attack thought to have been carried out by criminal gangs.

More than 100 British personnel were victims of the breach. The rest of those affected are Afghans.

The ministry said in its alert: “There is a risk that some of your or your family’s personal information may be affected. This may include passport details (including name, data of birth, and passport number) and Afghan Relocations and Assistance Policy reference numbers.”

Those alerted were requested to “please remain vigilant and be alert to unexpected communication or unusual activity.”

So far, there is no evidence that any of the information has been released publicly or on the dark web, ministry sources told The Times.

The latest leak adds to growing embarrassment over the UK’s handling of the Afghanistan withdrawal, which was completed in 2021.

Sir Mark Lyall Grant, former UK national security adviser, told the BBC’s “Newsnight” program that both breaches were “deeply embarrassing” for the government.

Verification as part of the relocation process is necessary, but the British government must “honor the commitment they made,” Grant added.

“We do need to move faster to protect people who genuinely are at risk of being victimized and persecuted by the Taliban if they go back,” he said.

It was revealed that the government’s multi-year superinjunction on the previous Afghan data breach cost taxpayers more than $3 million.

An emergency government scheme that was hidden from the public in response to the breach may have cost more than $9 billion, as part of efforts to bring at-risk Afghans to Britain.

Adnan Malik of Barings Law, which is representing 1,400 Afghans affected by the previous data leak, said: “This is public money they used to cover their own backs. Barings Law will continue to pursue justice for all of those affected, and stop the deceit on behalf of the Ministry of Defense.”

A former interpreter who suffered war injuries in Afghanistan and now campaigns for his Afghan ex-colleagues told The Times that he was “truly worried” about how the ministry has mishandled the personal data of Afghan allies.

“Once again, they have failed to protect those who stood shoulder to shoulder with them in the fight against terrorism,” said Rafi Hottak. “How can it be that we’ve now had three separate data leaks involving one of the most vulnerable group of people?”

A spokesperson for Inflite said: “While we cannot comment on specific details of the data security incident or any communications related to it due to the sensitivity of the matter, we remain fully committed to protecting our systems, data, and the interests of all our stakeholders.”

A government spokesperson said: “We were recently notified that a third-party subcontractor to a supplier experienced a cybersecurity incident involving unauthorized access to a small number of its emails that contained basic personal information.

“We take data security extremely seriously and are going above and beyond our legal duties in informing all potentially affected individuals.

“The incident has not posed any threat to individuals’ safety, nor compromised any government systems.”

-ENDS-