The personal information of more than 100 British officials were included in the Afghan data breach.

According to Reuters, MI6 spies and members of the SAS may have also been included in the data leak, according to BBC News and other outlets. A spokesperson for the ministry of defence cited its longstanding policy not to comment on matters related to the special forces.

The incident occurred in February 2022, under the Conservative government, when a spreadsheet with names of individual applicants for the ARAP scheme was emailed outside of official government systems. A small section of this spreadsheet briefly appeared online on 14 August 2023, which is when the previous Government first became aware of the incident.

Great Anxiety

In a statement, the ICO said it recognises “the seriousness of that breach, and the great stress and anxiety it caused those individuals.” Emily Keaney, deputy commissioner, said: “While we have been unable to comment on this matter publicly until now, I want to reassure the public that our expert team has been working behind the scenes to support and providing scrutiny to this internal investigation into what is a complex and sensitive situation.  

“Data protection should never be a barrier to sharing information when this is needed to prevent harm and we accept that the initial sharing of the document was intentional and considered under the circumstances. However, there were mistakes made beyond this, with hidden data in the spreadsheet.

“We have been clear with the MoD that this incident is unacceptable and should never happen again – the stakes are simply too high. The public must be able to trust that the government has measures in place to protect the personal information and security of the most vulnerable people.”

Keaney said that the ICO has supported the MoD with its internal investigation, and carefully considered the specific circumstances under which the breach occurred, including the critical need to share data urgently in this situation.

“We’re reassured that the MoD’s investigation has resulted in taking necessary steps and minimised the risk of this happening again,” she said. “We have also considered the proportionality of further action while the MoD rightly take steps to protect those most affected. We are satisfied that no further regulatory action is required at this time in this case. We are keeping this under review and may choose to revisit this decision at any time if new information comes to light.”

Issues Ongoing?

In a further explanation, Information Commissioner John Edwards said the ICO had to consider whether the issues are ongoing, and if the organisation responsible has adequately identified the cause of the breach and has sufficiently learned the lessons.

“Since we were notified of the spreadsheet breach in 2023, we have worked closely with the MoD, under the constraints of highly classified information, and a very strict court injunction (popularly described as a super-injunction),” he said. “We ensured the causes of the breach were identified, and rectified, that lessons were learned, and everything possible was done to mitigate the effects on the affected individuals.

“The mitigations have come at significant cost to the public purse, and MoD has briefed us on the measures it has adopted since the breach, which seek to mitigate risk of such an incident occurring in future.”

Very Little to Add

Edwards said the ICO determined that there was little we could add in this case that would justify the further allocation of resource away from other priorities. “In making that call, we have not lost sight of the fact the MoD undoubtedly got things wrong, and the consequences have been serious,” he said. “Organisations must do better to ensure mistakes like this don’t happen and understand the serious implications to people’s lives if they get it wrong.

“We recognise that there are issues of public confidence and accountability, and that we possess specific skills which other accountability bodies might wish to call on in order to gain the reassurance of a formal investigation. We remain willing to have those conversations with relevant stakeholders.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.