MoD official left sensitive data open on laptop on train in another Afghan breach The Independent

pNotifications can be managed in browser preferencesppPlease refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged inppSwipe for next article ppExclusive Details of 49 data breaches at MoD include personal data accidentally sent to a civil service sports club with 140000 membersppFrom reproductive rights to climate change to Big Tech The Independent is on the ground when the story is developing Whether its investigating the financials of Elon Musks proTrump PAC or producing our latest documentary The A Word which shines a light on the American women fighting for reproductive rights we know how important it is to parse out the facts from the messagingppAt such a critical moment in US history we need reporters on the ground Your donation allows us to keep sending journalists to speak to both sides of the storyppThe Independent is trusted by Americans across the entire political spectrum And unlike many other quality news outlets we choose not to lock Americans out of our reporting and analysis with paywalls We believe quality journalism should be available to everyone paid for by those who can afford itppA Ministry of Defence official revealed confidential information by leaving a laptop open on a train in another Afghandata breach The Independent can reveal as new documents uncover a string of government blunders which have put private data in the wrong handsppAn official document outlining dozens of data breaches from within the unit handling applications from Afghans wanting to flee the Taliban and come to the UK describes how a laptop screen was left in view on a train during an incident in March 2023 ppAn officially sensitive personal email relating to such Afghans was also accidentally sent to the Civil Service Sports Social Club a group for all civil service and public sector employees that has 140000 members in August 2023 records show ppThe new details come after a catastrophic MoD data breach that potentially put thousands of Afghans who helped UK forces at risk from the Taliban The major breach which was discovered in August 2023 and led to thousands of Afghans being secretly relocated to the UK only came to light earlier this year when The Independent and other media organisations fought to lift an unprecedented gagging order which had been put in place to cover it upppThe incidents are among 49 data breaches over the past four years from within the unit handling applications from Afghans wanting to flee the Taliban and come to the UK with emails sent to the wrong people insecure systems used and information accessed by the wrong employees ppIn May 2024 a decision letter about a personal data incident was sent to the wrong person while in June 2023 a socalled warm welcome letter usually sent to Afghan families when they reach safety in the UK was sent to the wrong email address ppOther examples included emails being sent to the wrong people as well as an email sent to an applicant on the Afghan Relocations and Assistance Policy Arap resettlement scheme from a personal email address when the sender had logged out There was also an incident of incorrectly downloading higher classification material and a case of officials wrongly accessing personal medical information ppIn September 2023 there were also five instances of people using WhatsApp to share personal data In February of that year the MoD also recorded inadvertent access to a flight manifest document MoD chartered flights are often used to bring Afghans to safety in the UKppDetails of the data breaches emerged in a letter sent by the Ministry of Defence MoD to the public accounts committee this month ppDavid Williams the departments top civil servant detailed in a letter to MPs how personal data of Afghan applicants to the MoDs resettlement scheme had been sent to the wrong people and accessed by the wrong employees ppHe admitted that the February 2022 breach which saw a member of MoD personnel erroneously email out a spreadsheet with 33000 lines of data was facilitated by the lack of appropriate systems to prevent or mitigate the error Mr Williams admitted that the MoD did not have secure case work or contact management systems in place ppThe Arap scheme was set up in April 2021 after the Taliban takeover to help people who feared their lives were at risk because they had worked alongside the British in Afghanistan The scheme was closed in JulyppThe scheme has been beset by revelations of poor data security potentially putting the lives of Afghan allies at risk ppAccording to the MoDs own records five of 49 separate data breaches in the past four years at the unit handling relocation applications from Afghans seeking sanctuary in the UK were serious enough to have been reported to the data watchdog the Information Commissioners Office ICO ppThe data incidents escalated to the watchdog ICO included the February 2022 spreadsheet breach a series of incidents where people had their details shared via email with blind carbon copy recipients due to a failure and one breach related to a Microsoft Forms link ppIn the case of the blind copy breaches the ICO fined the MoD 350000 for disclosing personal information of people seeking relocation to the UK In one incident the details of 265 people were inadvertently disclosed Responding to the 2022 spreadsheet breach which involved the data of 18700 applicants to the Arap scheme the ICO decided not to launch a formal investigation saying that to do so would take away resources from other priorities ppDame Chi Onwurah chair of the science innovation and technology committee said Last week my committee heard from the information commissioner about the data protection implications of the Afghan data breach It was dismaying to hear that the ICO and successive administrations could have done more to ensure that government data practices were of a high enough standard to stop repeated data breaches from happening ppThis mishandling of sensitive information is particularly alarming when we consider the digital security risks that may arise from the governments plans for digital IDsppThe MoD documents the number of data incidents referred to the regulator ICO each year in its annual report including the number of people affected by these breaches It decides whether to refer an incident to the ICO based on the perceived level of harm caused in each instance ppThe MoD has declined to comment ppJoin thoughtprovoking conversations follow other Independent readers and see their repliesppPlease refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged inp