Skip links

UK Ministry of Defence apologises after Afghan interpreters’ personal data exposed in email blunder

The UK’s Ministry of Defence has launched an internal investigation after committing the classic CC-instead-of-BCC email error – but with the names and contact details of Afghan interpreters trapped in the Taliban-controlled nation.

The horrendous data breach took place yesterday, with Defence Secretary Ben Wallace promising an immediate investigation, according to the BBC.

Included in the breach were profile pictures associated with some email accounts, according to the state-owned broadcaster. The initial email was followed up by a second message urging people who had received the first one to delete it – a way of drawing close attention to an otherwise routine missive.

The email was reportedly sent by the British government’s Afghan Relocations and Assistance Policy (ARAP) unit, urging the interpreters not to put themselves or their families at risk. The ministry was said to have apologised for the “unacceptable breach.”

“This mistake could cost the life of interpreters, especially for those who are still in Afghanistan,” one source told the Beeb.

Since the US-led military coalition pulled out of Afghanistan at the end of August, there have been distressing scenes in the country as the ruling Taliban impose Islamic Sharia law – while hunting down and punishing those who helped the Western militaries. Some interpreters have reportedly been murdered, with others fearing for their lives and the well-being of their families.

Most email blunders come with less lethal consequences. A misconfigured NHS mailserver caused real problems in 2016 when the health service’s entire email network ground to a halt following a spate of irate reply-all missives, while BT Security managed something superficially similar to the MoD cockup by CC’ing instead of BCC’ing 150 security bods pondering taking a job with the one-time state-owned monopoly.

Meanwhile, a 2019 cockup by a German company saw a hapless minion repeatedly cc all of the firm’s UK customers in a message asking for their consent to process their data under GDPR. Presumably they all said “hell no” after that.

The human error-induced problem is as old as email itself and is arguably inherent in the design of most mail clients used by loose fingered users.

Jake Moore, cybersecurity specialist at ESET, commented: “Human error can still be one of the biggest causes of a data breach, and this can be difficult to protect from within an organisation due to the innocence behind them.

“Insider threats caused by misjudgement or even owning overriding rights are often difficult to foresee and therefore become a challenge for infosecurity teams. Placing restraints in CC fields, for example, would inevitably cause issues against authentic use but it can be difficult to automate processes which are not predicted. This particular mishap may even be the result of burnout which is just as much of a threat to IT as an illicit threat.” ®