Documents released by the UK’s data regulator reveal that Ministry of Defence (MoD) staff received warnings about sharing information containing hidden tabs prior to the Afghan data leak.
Last month, it was disclosed that the personal details of nearly 19,000 individuals fleeing the Taliban, who had applied to relocate to the UK, were compromised when an official inadvertently emailed a spreadsheet containing a hidden tab with sensitive information.
The Information Commissioner’s Office (ICO) documents also indicate internal concerns about the lack of a fine issued to the MoD in response to the breach.
While the MoD asserts it has taken steps to enhance data security, an ICO spokesperson stated that the government has not yet fully addressed the lessons learned from the incident.
According to an ICO memo, existing guidance at the time of the leak demonstrates that the “MoD was aware of the risks of sharing data and explicitly referenced the need to remove hidden data from datasets”.
Hidden tabs, a common feature in spreadsheet software, conceal information from immediate view but allow for easy access if document settings are modified.
The government estimates that the 2022 leak, which necessitated an emergency resettlement program for individuals at risk of Taliban persecution, will ultimately cost approximately £850 million.
The compromised document contained the names, contact details, and, in some instances, family information of thousands who believed their association with British forces during the Afghanistan war placed them in danger.
A High Court super-injunction, granted in September 2023, suppressed reporting of the incident for nearly two years, until the order was lifted last month.
Shortly after the MoD discovered the data breach in 2023, it notified the ICO. The two entities engaged in several confidential meetings over the subsequent two years, with newly released documents shedding light on the discussions.
Government officials reportedly described the leak as potentially “the most expensive email ever sent.” Internal emails also reveal ICO staff concerns regarding the decision not to independently investigate the MoD or impose a fine.
Data breaches by public bodies are legally mandated to be reported to the ICO, which then has the discretion to investigate and potentially penalize the responsible organization.
ICO staff privately deliberated the potential “reputational risk” to the regulator stemming from its decision not to sanction the MoD, particularly in light of a £350,000 fine issued for a considerably smaller Afghan data breach in 2023.
In an email circulated the afternoon before the leak became public, an ICO staff member acknowledged that the rationale for not fining the government remained an “imperfect answer.”
The ICO published the documents earlier this month following a Freedom of Information request, which was not submitted by the BBC.
While written notes were prohibited during the confidential meetings, an ICO memo detailing the timeline of events was compiled after the incident became public last month.
The memo states that the MoD took “intensive measures to recover and delete data from all identified sources” and “limit loss of control” upon discovering the breach.
In a private email exchange, an ICO staff member questioned the delay in deciding whether to investigate, suggesting that “if I was a journalist I would ask why has it taken two years to ascertain whether or not to take action.”
Another staff member acknowledged the ICO’s “significant role” but conceded that “the reality is that we have only been able to review information in situ and been reliant on the MoD to gather evidence under our guidance.”
The documents reveal that the ICO ultimately decided against sanctioning the MoD to avoid “impose additional cost to the taxpayer.”
Last week, BBC News reported 49 separate data breaches within the past four years at the unit responsible for handling relocation applications from Afghans seeking refuge in the UK.
An ICO spokesperson stated that they had “focused clearly on making sure that the causes of breaches were identified, rectified and lessons learned.”
The spokesperson added that the government had “not yet done enough to achieve the pace of changes” required and that they had requested “assurances that necessary improvements are being made and standards are being raised.”
An MoD spokesperson affirmed that the government had worked to “improve data security across the department through better software, training and data experts.”
The spokesperson concluded: “We have worked hand-in-hand with the ICO during an internal investigation and accepted all recommendations in full to ensure a similar incident doesn’t happen again.”
This development coincides with the UK’s Information Commissioner urging the government to intensify efforts to prevent data breaches, such as the Afghan leak.
In July, following the public disclosure of the Afghan breach, Commissioner John Edwards addressed a letter to the Chancellor of the Duchy of Lancaster, Pat McFadden, asserting that the government “needs to go further and faster to ensure Whitehall, and the wider public sector put their practices in order.”
The Commissioner recommended that ministers “as a matter of urgency” fully implement the recommendations of an information security review conducted in response to a series of public sector data breaches.
The review, commissioned in 2023 by the previous government, was publicly released for the first time on Thursday following pressure from Dame Chi Onwurah, chairwoman of the Science, Innovation and Technology Committee.
Dame Chi stated that the government “still has questions to answer” regarding the review and the fact that only 12 of the 14 recommendations have been implemented.
In a letter to Dame Chi, McFadden affirmed that “good progress” had been made on improving data standards “but we must guard against complacency.”
“This is an area on which we must keep a consistent focus to ensure standards continue to improve,” McFadden stated.
Sign up for our Politics Essential newsletter to stay informed about Westminster and beyond.
Fixtures, results and scorecards from the Twenty20 tri-series hosted by the United Arab Emirates, also featuring Afghanistan and Pakistan.
Residents say a beach with historic and local value is being used as a dumping ground.
Shropshire Council says demolition and re-development at RAF Cosford must be finished in five years.
At least 17 children were among those killed after the bus crashed and caught fire on its way to Kabul.
Afghan refugees in the US say they fear what would happen if they return to their country, which is now controlled by the Taliban.