back to article UK Ministry of Defence apologises after Afghan interpreters' personal data exposed in email blunder

The UK's Ministry of Defence has launched an internal investigation after committing the classic CC-instead-of-BCC email error – but with the names and contact details of Afghan interpreters trapped in the Taliban-controlled nation. The horrendous data breach took place yesterday, with Defence Secretary Ben Wallace promising …

  1. SCP

    This bungle is incredible and deplorable. Given the obvious sensitivity of the data how was it not marked with a high classification marking which would have required it be kept off systems with open access to the internet and public email.

    Also claiming this to be a cc/bcc cock-up is understating it - the lack of confidentiality in public emails is well established (akin to putting the message on a postcard). Why was this being sent by email in the first place? Presumably the sender also had a UK/MoD address - well that would arouse suspicions.

    Several people deserve to be hauled over the coals on this one.

    1. Just A Quick Comment

      "Several people deserve to be hauled over the coals on this one."

      Yes, but they won't be... Government departments closing ranks and all that...

      1. David 132 Silver badge
        FAIL

        Slight correction.

        Civil Service departments closing ranks.

        Regardless of the colour of the government, it's the Sir Humphreys and their Bernards that make these kind of mistakes. You don't think the Defence Minister du jour personally composed that email, do you?

        But yeah. Icon regardless. Could we be any shittier to the Afghans who risked their lives to help us?

        1. Anonymous Coward
          Anonymous Coward

          I tihnk it quite possible a Special Political Advisor to the Minister composed the email rather than a professional civil servant.

          1. David 132 Silver badge
            Thumb Up

            A SPAM email?

            ISWYDT. Ho ho.

        2. Cederic Silver badge

          I read Government Departments and interpreted it as Civil Service anyway. The Civil Service are a tool of Government.

  2. elsergiovolador Silver badge

    Too many blunders

    There have been too many blunders around this to think it was just another accident.

    I saw one commenter saying - if they expose all people who helped, they won't have to be bothered to rescue them and then they can avoid all the headache of resettling and possible upset of local population etc. It will be another "Oh well, apols" and two weeks later media and people will forget about Afghanistan anyway.

    At least that's how reality of headline driven politics looks like.

    1. IGotOut Silver badge

      Re: Too many blunders

      Two weeks? It'll be lucky to make it to tomorrow.

    2. WhiteDragon43

      Re: Too many blunders

      @elsergiovolador

      Same thought crossed my mind - standard whitewash to be applied - any guilty party should take a holiday in Afghanistan to receive their reward from the new government/Taliban as a thankyou.

    3. bombastic bob Silver badge
      Black Helicopters

      Re: Too many blunders

      I'm not inclined to think that the U.K. would make such a blunder deliberately.

      (as for OUR current gummint...)

  3. IGotOut Silver badge
    FAIL

    Don't worry.

    They have the details already thanks to a previous **** up.

    https://www.telegraph.co.uk/world-news/2021/08/27/british-embassy-left-details-afghan-staff-taliban-find/

    1. Mike 137 Silver badge

      Re: Don't worry.

      "They have the details already thanks to a previous **** up."

      I can't find a reference, but there was also a report on the BBC news just prior to the final departure that a list of Afghans seeking to leave for safety reasons was handed (not sure by what national force) to a Taliban checkpoint "so they could let them through".

      1. Cederic Silver badge

        Re: Don't worry.

        I thought that was the US, rather than us. We sent out squads to collect as many vulnerable people as we could.

        (Which is why the US tried to blame us for the casualties in the bombing at the airport, instead of acknowledging that they'd failed to act on their own intelligence, failed to protect their own troops and civilians and also chosen not to intercept the bomb en route. Although given their next attempt to intercept a bomb resulted in the brutal murder of an innocent family I guess we should be grateful when they don't open fire.)

  4. Anonymous Coward
    Anonymous Coward

    About that EXTRA 1.9 billion pounds.......

    Quote 1: “The Ministry of Defence takes its information and data handling responsibilities very seriously.”, Ben Wallace, September 2021

    Link: https://www.theguardian.com/uk-news/2021/sep/20/mod-data-breach-puts-lives-at-risk-for-more-than-250-afghan-interpreters

    Quote 2. "Britain to spend 1.9 billion pounds on boosting cyber defenses", Philip Hammond, November 2016

    Link: https://www.reuters.com/article/us-britain-cyber-idUSKBN12W39K

    Interesting that the Reuters report from 2016 said: "....The new National Cyber Security Strategy will provide funding to develop automatic defenses to help protect British businesses and citizens online..."

    Yup.."protect" was the word used. Clearly 1.9 billion EXTRA pounds and a new "cyber security" department to boost the STASI in Cheltenham.........

    ........hasn't managed to reach the MOD in the intervening four plus years.....perhaps with a little "cyber security email training".

    Your tax pound sterling at work!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: About that EXTRA 1.9 billion pounds.......

      protect British businesses and citizens, expose all others

  5. Clausewitz 4.0 Bronze badge
    Devil

    SNAFU after SNAFU

    5-eyes Intel programs are seriously been questioned these days.

    I am not a fan of shooting ducks in a barrel, but some people are.

    1. bombastic bob Silver badge
      Alert

      Re: SNAFU after SNAFU

      one BIG reason that certain kinds of information is classified is to KEEP our informants and operatives form being KILLED. Or worse.

      I have no doubt that every country (even allies) has operatives in pretty much every other country whenever possible, even if it's an informal operative in the form of an embassy staff member.

      However, we all know that in certain places in the world, revealing these people and their activities can result in torture and/or death, and not just be an embarrassing "oops" that makes a headline or two and probably gets you laughed at on late night comedy shows.

      I once saw some classified material back in the day (while doing a 'burn run') in which I instinctively recognized that if "that face" in the photo ever got to the wrong people, several people would DIE. This is why it was classified. It's not so much about the information, it's about the people who obtained it, or the people that are put in danger when that information is compromised.

  6. codejunky Silver badge

    Ouch

    Could be funny to do this intentionally with a list of ISIS members you want popping off but we really dont want to be shafting those who help us. I wonder if Americans are regretting their choice last election. Can anyone really imagine this seriously stupid failure under Trump?

    1. lglethal Silver badge
      Stop

      Re: Ouch

      You are aware that Trump signed the agreement for the Americans to leave AND set the leaving date. But apparently he didnt do any sort of planning for actually meeting said date.

      Biden was an idiot for sticking with the date, but do not start trying to say that this wouldnt have happened if Trump was in charge. It would have. And it probably would have been an even greater clusterf%&k.

      1. DJO Silver badge

        Re: Ouch

        Biden was an idiot for sticking with the date

        Far from it. The USA was committed so far better to get it over with at the start of his term and have 4 years to tidy up and allow the majority of the populace with their absurdly short attention spans to forget all about it.

        From an electoral perspective it was the best thing he could do, from the perspective of everybody directly involved it was going to be a shitshow no matter when it happened.

      2. codejunky Silver badge

        Re: Ouch

        @lglethal

        "You are aware that Trump signed the agreement for the Americans to leave AND set the leaving date"

        Trump set the date for May to leave. Biden moved the date to August, so Biden set up the withdrawal to a new date much further away and fluffed it so hard the failure was shocking. Biden set the date and fucked up hard! He didnt stick to Trumps date. Leaving was not Trumps failure.

        "But apparently he didnt do any sort of planning for actually meeting said date."

        How would we know? Biden took over the show, moved the date and screwed the pooch. What has that got to do with Trump?

        "Biden was an idiot for sticking with the date"

        He didnt.

        "but do not start trying to say that this wouldnt have happened if Trump was in charge. It would have"

        You must be high. Leaving in the night leaving half the kit and loads of Americans behind. Doubt it.

        "And it probably would have been an even greater clusterf%&k."

        I know people are gonna tell themselves that but some people seem to believe Biden stuck to Trumps exit date. The truth is different.

    2. Throatwarbler Mangrove Silver badge
      Facepalm

      Re: Ouch

      "Can anyone really imagine this seriously stupid failure under Trump?"

      Short answer: yes. Long answer: *waves vaguely at 2017-2021*

      1. codejunky Silver badge

        Re: Ouch

        @Throatwarbler Mangrove

        "Long answer: *waves vaguely at 2017-2021*"

        A time that seemed more successful than under Biden.

        1. Anonymous Coward
          Anonymous Coward

          Re: Ouch

          From the man who, if he didn't actually bring you the coronavirus, market it across the US?

          1. codejunky Silver badge

            Re: Ouch

            @AC

            "From the man who, if he didn't actually bring you the coronavirus, market it across the US?"

            Eh? Trump blamed China for their terrible response causing the pandemic. Blamed the WHO for understating the problem and was trying to punish them for it. Also Trump did a great job at securing vaccine even if he pissed off the rest of the world by putting his country first.

            1. Anonymous Coward
              1. codejunky Silver badge

                Re: Ouch

                @AC

                "he was always completely on top of the situation, never lied about it, and never downplayed it"

                At first he accepted what the WHO had been saying in downplaying the situation. That is why he got pissed at the WHO and withdrew funding for playing politics instead of doing their job. Trump has likely lied about plenty, he was still a president but without the polish.

                I still dont understand the comment-

                "From the man who, if he didn't actually bring you the coronavirus, market it across the US?"

                Dunno if your the same AC but what does this gibberish mean?

                1. This post has been deleted by its author

                2. Anonymous Coward
                  Anonymous Coward

                  Re: Ouch

                  (I'm a different AC, but I expect that one meant something like "marketed it in the US", implying that he basically allowed it to thrive, whether intentionally or through simple ignorance and mis-management.)

                  1. codejunky Silver badge

                    Re: Ouch

                    @AC

                    "(I'm a different AC, but I expect"

                    I had a similar assumption (hence my reply) but I wasnt sure. I also have a pet troll posting AC who apart from posting gibberish is desperate for my attention (see thread- https://forums.theregister.com/forum/all/2021/09/13/new_uk_ico_promises_to/#c_4334148).

                3. Anonymous Coward
                  Anonymous Coward

                  Re: Ouch

                  "Dunno if your the same AC but what does this gibberish mean?"

                  From the person who can't even use you're and your correctly.

    3. Anonymous Coward
      Anonymous Coward

      Re: Ouch

      "Can anyone really imagine this seriously stupid failure under Trump?"

      How about everyone on this planet? Only blinkered partisan fools would find any positives from the US (& UK) involvement in Afghanistan. From Bush, through Obama and Trump to Biden. Same single failure throughout the whole 20 year debacle.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ouch

        So, ehh, to expound upon Colonel Sam Trautman's teachings - if Afghanistan was Russia's Vietnam, then Afghanistan was the US's Afghanistan. Confusing, for sure.

        1. Anonymous Coward
          Anonymous Coward

          Re: Ouch

          At least they invaded different countries: points at 1st, 2nd, 3rd, and 4th British Afghan wars.

      2. codejunky Silver badge

        Re: Ouch

        @AC

        "Only blinkered partisan fools would find any positives from the US (& UK) involvement in Afghanistan. From Bush, through Obama and Trump to Biden."

        Excluding Trump from that list I would agree. I would have been interested to see how he would have gone about it. Especially since he would have left sooner (he set the date for May)

        1. Anonymous Coward
          Anonymous Coward

          Re: Ouch

          Interesting. Why exclude President Trump?

          1. Anonymous Coward
            Anonymous Coward

            Re: Ouch

            I think that's a self-answering question: because he's a "blinkered partisan fool".

          2. codejunky Silver badge

            Re: Ouch

            @AC

            "Interesting. Why exclude President Trump?"

            Because Trump called an end to the war (even though he was then voted out before withdrawal), set the aim of the engagement so it would finally end and Biden fluffed the exit. The idiot AC replying this is partisan seems to think Bush was a democrat. The war needed to end and Trump is the first to have done anything about it.

            1. Anonymous Coward
              Anonymous Coward

              Re: Ouch

              Wow. I think it is clear who the real idiot is after reading the above post.

            2. Anonymous Coward
              Anonymous Coward

              Re: Ouch

              "The war needed to end and Trump is the first to have done anything about it."

              Is that President "I could win a war in a week!" Trump? Are you one of those QAnon-4/8chan/kun dweebs who believe President Trump is a 4D chess playing God Emperor ? To quote the man himself. "Sad."

              1. codejunky Silver badge

                Re: Ouch

                @AC

                "Are you one of those QAnon-4/8chan/kun dweebs who believe President Trump is a 4D chess playing God Emperor ?"

                Nope but are you that dumbass AC troll thats been following me around?

          3. bombastic bob Silver badge
            Facepalm

            Re: Ouch

            Rule 69: any online discussion of world events after 2016 will eventually degrade into "Trump Hate"

            icon, because, facepalm

            1. Anonymous Coward
              Anonymous Coward

              Re: Ouch

              No hate. I clearly referred to him as President Trump and my scorn was for all of them back to Bush Jnr. Remember him? The one who engaged the whole western world in a pointless war in the Persian Gulf. Instead of just going into Afghanistan, deep-sixing every last AlQaeda-ist they could find. And then withdrawing.

    4. This post has been deleted by a moderator

      1. Anonymous Coward
        Anonymous Coward

        Re: Ouch

        Spanner?

  7. wolfetone Silver badge

    Starting to think the Guntrader owners use the same security guys as the MoD.

  8. Danny 2 Silver badge

    Egregious numpties

    This is appallingly bad. I've worked for some remiss employers, I've made mistakes myself, sometimes as sysadmin in compromised places, and yet nothing this basic would have failed.

    The person who did it, and the person who hired them, should face serious criminal charges. The responsible minister should resign in disgrace and without any pension, if the word responsible still means anything after the Falklands War. This is akin to abetting terrorism. This is lives. None of my errors cost lives.

    1. SundogUK Silver badge

      Re: Egregious numpties

      What the fuck has the Falklands War got to do with this?

      1. cshore

        Re: Egregious numpties

        Because Lord Carrington's resignation over the Falklands is often cited as the last time a government minister exhibited a sense of honour and resigned.

    2. SCP

      Re: Egregious numpties

      At face value the failings here seem much deeper than the person who ended up posting the stuff.

      Why were the personal details available on an open system that made it possible to email. Either the data was not under a high security classification (given the entirely forseeable consequences to those at the sharp end, and the harm to the UK's interests) OR the general handling of such data is improper - which casts doubt on the entire department (or wider): this is a significant institutional failure.

      Given the earlier breaches of PERSEC during the initial evacuation (which might have resulted from the exigent circumstances of the operation) the concerns will have been widely known - there cannot be any excuse for not being on alert for further risks or not identifying and correcting failings.

      The whole thing smacks of a level of complacency that will (and probably already has) result in people getting killed; and if this complacent attitude is not stomped on it will result in even more people getting killed.

    3. Cederic Silver badge

      Re: Egregious numpties

      I fail to see why the Minister should be held accountable.

      This is a process failure. The Minister could (and may) have asked whether processes are in place, and has a reasonable expectation that the extensive cyber security training we all know the Civil Service must receive would be a measure to prevent this type of issue.

      That the training failed, the process wasn't followed and someone made a mistake shouldn't require Ministerial resignation. Otherwise we'll be getting through Ministers at the rate of several a day.

      1. Anonymous Coward
        Anonymous Coward

        Re: Egregious numpties

        "I fail to see why the Minister should be held accountable."

        You should work in Cabinet. You'd fit right in. There may be a position at the Post Office that would suit too. And perhaps even a gong!

  9. AW-S

    How much can the ICO fine those responsible?

    Would the calculation be based upon the MoD annual budget?

    3% of £44.6 billion will keep the ICO afloat for some time to come. They might recruit some extra staff and deal with a couple of my complaints then.

    1. Cederic Silver badge

      Re: How much can the ICO fine those responsible?

      I believe the ICO will ask if you've raised this with the responsible organisation and exhausted their processes first.

      Good luck finding the right people to even start those processes.

      I've given up trying to raise things with the ICO. For example they can't investigate because I didn't raise an issue with Google, even though I highlighted that Google are breaching the law in how they act towards over 40 million people in the UK and offer no direct means of contacting them to address this. Thanks ICO.

  10. Anonymous Coward
    Anonymous Coward

    GDPR requires technical measures as well as organisational measures

    The classic mistake of "using CC instead of BCC" is probably the main cause of unintended data breaches in general. It a form of human error and therefore any organisation-defined procedures are likely to have limited impact on reducing the occurance of such mistakes. That is why technical measures should be implemented by organisations (both public sector and businessess) to vastly reduce the scope for such mistakes to happen.

    Indeed the GDPR covers technical measures, i.e. in GDPR Article 5(1)(f):

    "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

    However the ICO never seem to bother prosecuting any org who fails to implement any, or insufficient, technical measures. The vast majority of organisations are unlikely to bother implementing suitable technical measures until the ICO starts taking action due to their absence.

  11. Ian 55

    Takes about a minute to tell Postfix 'don't allow any outgoing email to have more than ten addresses in the to: or bcc: fields'.

    Saved various people here lots of embarrassment over the years.

    1. Ian 55

      'to: or cc: fields' of course. My fingers almost automatically change cc into bcc!

  12. Anonymous Coward
    Anonymous Coward

    It's so much worse than that ...

    The Taliban have already begun to identify people abroad and how they can be "persuaded" to do their bidding at arms length. This will just make that process so much easier.

    Believe me, there are plenty of 100% "clean" Afghan people who have fled west than would pass any number of security checks and yet still end up having to follow orders or know their entire family back in Afghanistan are condemned to a pretty horrible fate.

  13. Norman Nescio Silver badge

    It happens to the best of people...

    El Reg in email address blunder (24 Oct 2011)

    So, very nearly 10 years on, the same problem keeps on happening. We should not blame the victim, we should blame the software design that allows bungles like this to happen. Both email clients and MTAs should work together to query over-long CC-lists, but I recognise that the technical problem is not easy to solve. Setting up an MTA to refuse to forward an email with more than a set number of CC (or even direct) recipients is easy (deciding the 'set number' isn't), but if an email address is actually a mailing-list address, you can still (embarrassingly) send an email to all the inboxes of an entire organisation with a single entry in the To or CC field.

    My email client tells me if I have an empty subject field. It does some pattern matching to ask if I have forgotten an attachment if an email contains certain keywords and lacks an attachment, so I think it is reasonably possible to have a client that warns on a long CC-list. Similarly, an MTA could put an email with a long CC-list in quarantine and send a message back to the sender asking if they are sure it should be sent. Really sensitive stuff could require two separate accounts to agree to release an email from quarantine.

    Relying on fallible humans to get it right every time is a recipe for disaster. Lives really are at stake.

    NN

  14. Fred Flintstone Gold badge

    Yes Minister again..

    I'm presently working my way through the whole box set of Yes Minister/Yes Prime Minister.

    Given the scandalous way that things are still going at government level it seems more a documentary.

  15. Robert Carnegie Silver badge

    I'm not clear if this has just now happened, or if the BBC held off on revealing the story until an initial attempt could be made to clean the mess up.

    A mess which apparently includes one or more recipients doing a "Reply to all".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022