The UK's Ministry of Defence has launched an internal investigation after committing the classic CC-instead-of-BCC email error – but with the names and contact details of Afghan interpreters trapped in the Taliban-controlled nation. The horrendous data breach took place yesterday, with Defence Secretary Ben Wallace promising …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Tuesday 21st September 2021 11:50 GMT SCP

This bungle is incredible and deplorable. Given the obvious sensitivity of the data how was it not marked with a high classification marking which would have required it be kept off systems with open access to the internet and public email.

Also claiming this to be a cc/bcc cock-up is understating it - the lack of confidentiality in public emails is well established (akin to putting the message on a postcard). Why was this being sent by email in the first place? Presumably the sender also had a UK/MoD address - well that would arouse suspicions.

Several people deserve to be hauled over the coals on this one.

32 0 Reply
1. Tuesday 21st September 2021 13:05 GMT Just A Quick Comment
  
  "Several people deserve to be hauled over the coals on this one."
  
  Yes, but they won't be... Government departments closing ranks and all that...
  
  13 0 Reply
  1. Tuesday 21st September 2021 14:27 GMT David 132
    
    Slight correction.
    
    Civil Service departments closing ranks.
    
    Regardless of the colour of the government, it's the Sir Humphreys and their Bernards that make these kind of mistakes. You don't think the Defence Minister du jour personally composed that email, do you?
    
    But yeah. Icon regardless. Could we be any shittier to the Afghans who risked their lives to help us?
    
    8 0 Reply
    1. Wednesday 22nd September 2021 08:36 GMT Anonymous Coward
      
      I tihnk it quite possible a Special Political Advisor to the Minister composed the email rather than a professional civil servant.
      
      4 1 Reply
      1. Wednesday 22nd September 2021 11:24 GMT David 132
        
        A SPAM email?
        
        ISWYDT. Ho ho.
        
        1 0 Reply
    2. Wednesday 22nd September 2021 11:36 GMT Cederic
      
      I read Government Departments and interpreted it as Civil Service anyway. The Civil Service are a tool of Government.
      
      0 0 Reply
Tuesday 21st September 2021 12:13 GMT elsergiovolador

Too many blunders

There have been too many blunders around this to think it was just another accident.

I saw one commenter saying - if they expose all people who helped, they won't have to be bothered to rescue them and then they can avoid all the headache of resettling and possible upset of local population etc. It will be another "Oh well, apols" and two weeks later media and people will forget about Afghanistan anyway.

At least that's how reality of headline driven politics looks like.

17 6 Reply
1. Tuesday 21st September 2021 12:14 GMT IGotOut
  
  Re: Too many blunders
  
  Two weeks? It'll be lucky to make it to tomorrow.
  
  7 0 Reply
2. Tuesday 21st September 2021 12:42 GMT WhiteDragon43
  
  Re: Too many blunders
  
  @elsergiovolador
  
  Same thought crossed my mind - standard whitewash to be applied - any guilty party should take a holiday in Afghanistan to receive their reward from the new government/Taliban as a thankyou.
  
  10 0 Reply
3. Wednesday 22nd September 2021 16:38 GMT bombastic bob
  
  Re: Too many blunders
  
  I'm not inclined to think that the U.K. would make such a blunder deliberately.
  
  (as for OUR current gummint...)
  
  0 0 Reply
Tuesday 21st September 2021 12:16 GMT IGotOut

Don't worry.

They have the details already thanks to a previous **** up.

https://www.telegraph.co.uk/world-news/2021/08/27/british-embassy-left-details-afghan-staff-taliban-find/

8 0 Reply
1. Tuesday 21st September 2021 12:34 GMT Mike 137
  
  Re: Don't worry.
  
  "They have the details already thanks to a previous **** up."
  
  I can't find a reference, but there was also a report on the BBC news just prior to the final departure that a list of Afghans seeking to leave for safety reasons was handed (not sure by what national force) to a Taliban checkpoint "so they could let them through".
  
  9 0 Reply
  1. Wednesday 22nd September 2021 11:37 GMT Cederic
    
    Re: Don't worry.
    
    I thought that was the US, rather than us. We sent out squads to collect as many vulnerable people as we could.
    
    (Which is why the US tried to blame us for the casualties in the bombing at the airport, instead of acknowledging that they'd failed to act on their own intelligence, failed to protect their own troops and civilians and also chosen not to intercept the bomb en route. Although given their next attempt to intercept a bomb resulted in the brutal murder of an innocent family I guess we should be grateful when they don't open fire.)
    
    0 0 Reply
Tuesday 21st September 2021 12:26 GMT Anonymous Coward

About that EXTRA 1.9 billion pounds.......

Quote 1: “The Ministry of Defence takes its information and data handling responsibilities very seriously.”, Ben Wallace, September 2021

Link: https://www.theguardian.com/uk-news/2021/sep/20/mod-data-breach-puts-lives-at-risk-for-more-than-250-afghan-interpreters

Quote 2. "Britain to spend 1.9 billion pounds on boosting cyber defenses", Philip Hammond, November 2016

Link: https://www.reuters.com/article/us-britain-cyber-idUSKBN12W39K

Interesting that the Reuters report from 2016 said: "....The new National Cyber Security Strategy will provide funding to develop automatic defenses to help protect British businesses and citizens online..."

Yup.."protect" was the word used. Clearly 1.9 billion EXTRA pounds and a new "cyber security" department to boost the STASI in Cheltenham.........

........hasn't managed to reach the MOD in the intervening four plus years.....perhaps with a little "cyber security email training".

Your tax pound sterling at work!!!

2 1 Reply
1. Wednesday 22nd September 2021 08:37 GMT Anonymous Coward
  
  Re: About that EXTRA 1.9 billion pounds.......
  
  protect British businesses and citizens, expose all others
  
  0 1 Reply
Tuesday 21st September 2021 12:39 GMT Clausewitz 4.0

SNAFU after SNAFU

5-eyes Intel programs are seriously been questioned these days.

I am not a fan of shooting ducks in a barrel, but some people are.

0 3 Reply
1. Wednesday 22nd September 2021 16:48 GMT bombastic bob
  
  Re: SNAFU after SNAFU
  
  one BIG reason that certain kinds of information is classified is to KEEP our informants and operatives form being KILLED. Or worse.
  
  I have no doubt that every country (even allies) has operatives in pretty much every other country whenever possible, even if it's an informal operative in the form of an embassy staff member.
  
  However, we all know that in certain places in the world, revealing these people and their activities can result in torture and/or death, and not just be an embarrassing "oops" that makes a headline or two and probably gets you laughed at on late night comedy shows.
  
  I once saw some classified material back in the day (while doing a 'burn run') in which I instinctively recognized that if "that face" in the photo ever got to the wrong people, several people would DIE. This is why it was classified. It's not so much about the information, it's about the people who obtained it, or the people that are put in danger when that information is compromised.
  
  0 0 Reply
Tuesday 21st September 2021 13:02 GMT codejunky

Ouch

Could be funny to do this intentionally with a list of ISIS members you want popping off but we really dont want to be shafting those who help us. I wonder if Americans are regretting their choice last election. Can anyone really imagine this seriously stupid failure under Trump?

7 28 Reply
1. Tuesday 21st September 2021 13:47 GMT lglethal
  
  Re: Ouch
  
  You are aware that Trump signed the agreement for the Americans to leave AND set the leaving date. But apparently he didnt do any sort of planning for actually meeting said date.
  
  Biden was an idiot for sticking with the date, but do not start trying to say that this wouldnt have happened if Trump was in charge. It would have. And it probably would have been an even greater clusterf%&k.
  
  16 5 Reply
  1. Tuesday 21st September 2021 16:01 GMT DJO
    
    Re: Ouch
    
    Biden was an idiot for sticking with the date
    
    Far from it. The USA was committed so far better to get it over with at the start of his term and have 4 years to tidy up and allow the majority of the populace with their absurdly short attention spans to forget all about it.
    
    From an electoral perspective it was the best thing he could do, from the perspective of everybody directly involved it was going to be a shitshow no matter when it happened.
    
    9 2 Reply
  2. Tuesday 21st September 2021 16:27 GMT codejunky
    
    Re: Ouch
    
    @lglethal
    
    "You are aware that Trump signed the agreement for the Americans to leave AND set the leaving date"
    
    Trump set the date for May to leave. Biden moved the date to August, so Biden set up the withdrawal to a new date much further away and fluffed it so hard the failure was shocking. Biden set the date and fucked up hard! He didnt stick to Trumps date. Leaving was not Trumps failure.
    
    "But apparently he didnt do any sort of planning for actually meeting said date."
    
    How would we know? Biden took over the show, moved the date and screwed the pooch. What has that got to do with Trump?
    
    "Biden was an idiot for sticking with the date"
    
    He didnt.
    
    "but do not start trying to say that this wouldnt have happened if Trump was in charge. It would have"
    
    You must be high. Leaving in the night leaving half the kit and loads of Americans behind. Doubt it.
    
    "And it probably would have been an even greater clusterf%&k."
    
    I know people are gonna tell themselves that but some people seem to believe Biden stuck to Trumps exit date. The truth is different.
    
    6 17 Reply
2. Tuesday 21st September 2021 13:55 GMT Throatwarbler Mangrove
  
  Re: Ouch
  
  "Can anyone really imagine this seriously stupid failure under Trump?"
  
  Short answer: yes. Long answer: *waves vaguely at 2017-2021*
  
  19 5 Reply
  1. Tuesday 21st September 2021 16:28 GMT codejunky
    
    Re: Ouch
    
    @Throatwarbler Mangrove
    
    "Long answer: *waves vaguely at 2017-2021*"
    
    A time that seemed more successful than under Biden.
    
    3 18 Reply
    1. Wednesday 22nd September 2021 08:39 GMT Anonymous Coward
      
      Re: Ouch
      
      From the man who, if he didn't actually bring you the coronavirus, market it across the US?
      
      3 1 Reply
      1. Wednesday 22nd September 2021 09:22 GMT codejunky
        
        Re: Ouch
        
        @AC
        
        "From the man who, if he didn't actually bring you the coronavirus, market it across the US?"
        
        Eh? Trump blamed China for their terrible response causing the pandemic. Blamed the WHO for understating the problem and was trying to punish them for it. Also Trump did a great job at securing vaccine even if he pissed off the rest of the world by putting his country first.
        
        2 7 Reply
        
        Wednesday 22nd September 2021 09:58 GMT Anonymous Coward
        
        Re: Ouch
        
        Yes, that's right – I remember now, he was always completely on top of the situation, never lied about it, and never downplayed it. My mistake.
        
        4 2 Reply
        
        Wednesday 22nd September 2021 10:59 GMT codejunky
        
        Re: Ouch
        
        @AC
        
        "he was always completely on top of the situation, never lied about it, and never downplayed it"
        
        At first he accepted what the WHO had been saying in downplaying the situation. That is why he got pissed at the WHO and withdrew funding for playing politics instead of doing their job. Trump has likely lied about plenty, he was still a president but without the polish.
        
        I still dont understand the comment-
        
        "From the man who, if he didn't actually bring you the coronavirus, market it across the US?"
        
        Dunno if your the same AC but what does this gibberish mean?
        
        2 3 Reply
        
        This post has been deleted by its author
        
        Wednesday 22nd September 2021 11:09 GMT Anonymous Coward
        
        Re: Ouch
        
        (I'm a different AC, but I expect that one meant something like "marketed it in the US", implying that he basically allowed it to thrive, whether intentionally or through simple ignorance and mis-management.)
        
        4 0 Reply
        
        Wednesday 22nd September 2021 12:59 GMT codejunky
        
        Re: Ouch
        
        @AC
        
        "(I'm a different AC, but I expect"
        
        I had a similar assumption (hence my reply) but I wasnt sure. I also have a pet troll posting AC who apart from posting gibberish is desperate for my attention (see thread- https://forums.theregister.com/forum/all/2021/09/13/new_uk_ico_promises_to/#c_4334148).
        
        1 2 Reply
        
        Wednesday 22nd September 2021 12:15 GMT Anonymous Coward
        
        Re: Ouch
        
        "Dunno if your the same AC but what does this gibberish mean?"
        
        From the person who can't even use you're and your correctly.
        
        3 1 Reply
3. Tuesday 21st September 2021 14:03 GMT Anonymous Coward
  
  Re: Ouch
  
  "Can anyone really imagine this seriously stupid failure under Trump?"
  
  How about everyone on this planet? Only blinkered partisan fools would find any positives from the US (& UK) involvement in Afghanistan. From Bush, through Obama and Trump to Biden. Same single failure throughout the whole 20 year debacle.
  
  11 4 Reply
  1. Tuesday 21st September 2021 14:56 GMT Anonymous Coward
    
    Re: Ouch
    
    So, ehh, to expound upon Colonel Sam Trautman's teachings - if Afghanistan was Russia's Vietnam, then Afghanistan was the US's Afghanistan. Confusing, for sure.
    
    6 0 Reply
    1. Wednesday 22nd September 2021 08:40 GMT Anonymous Coward
      
      Re: Ouch
      
      At least they invaded different countries: points at 1st, 2nd, 3rd, and 4th British Afghan wars.
      
      4 0 Reply
  2. Tuesday 21st September 2021 16:30 GMT codejunky
    
    Re: Ouch
    
    @AC
    
    "Only blinkered partisan fools would find any positives from the US (& UK) involvement in Afghanistan. From Bush, through Obama and Trump to Biden."
    
    Excluding Trump from that list I would agree. I would have been interested to see how he would have gone about it. Especially since he would have left sooner (he set the date for May)
    
    4 14 Reply
    1. Tuesday 21st September 2021 17:01 GMT Anonymous Coward
      
      Re: Ouch
      
      Interesting. Why exclude President Trump?
      
      2 0 Reply
      1. Wednesday 22nd September 2021 07:17 GMT Anonymous Coward
        
        Re: Ouch
        
        I think that's a self-answering question: because he's a "blinkered partisan fool".
        
        4 3 Reply
      2. Wednesday 22nd September 2021 09:25 GMT codejunky
        
        Re: Ouch
        
        @AC
        
        "Interesting. Why exclude President Trump?"
        
        Because Trump called an end to the war (even though he was then voted out before withdrawal), set the aim of the engagement so it would finally end and Biden fluffed the exit. The idiot AC replying this is partisan seems to think Bush was a democrat. The war needed to end and Trump is the first to have done anything about it.
        
        4 3 Reply
        
        Wednesday 22nd September 2021 09:58 GMT Anonymous Coward
        
        Re: Ouch
        
        Wow. I think it is clear who the real idiot is after reading the above post.
        
        2 2 Reply
        
        Wednesday 22nd September 2021 10:26 GMT Anonymous Coward
        
        Re: Ouch
        
        "The war needed to end and Trump is the first to have done anything about it."
        
        Is that President "I could win a war in a week!" Trump? Are you one of those QAnon-4/8chan/kun dweebs who believe President Trump is a 4D chess playing God Emperor ? To quote the man himself. "Sad."
        
        3 2 Reply
        
        Wednesday 22nd September 2021 11:00 GMT codejunky
        
        Re: Ouch
        
        @AC
        
        "Are you one of those QAnon-4/8chan/kun dweebs who believe President Trump is a 4D chess playing God Emperor ?"
        
        Nope but are you that dumbass AC troll thats been following me around?
        
        1 6 Reply
      3. Wednesday 22nd September 2021 16:52 GMT bombastic bob
        
        Re: Ouch
        
        Rule 69: any online discussion of world events after 2016 will eventually degrade into "Trump Hate"
        
        icon, because, facepalm
        
        0 2 Reply
        
        Thursday 23rd September 2021 14:03 GMT Anonymous Coward
        
        Re: Ouch
        
        No hate. I clearly referred to him as President Trump and my scorn was for all of them back to Bush Jnr. Remember him? The one who engaged the whole western world in a pointless war in the Persian Gulf. Instead of just going into Afghanistan, deep-sixing every last AlQaeda-ist they could find. And then withdrawing.
        
        1 0 Reply
Tuesday 21st September 2021 13:05 GMT wolfetone

Starting to think the Guntrader owners use the same security guys as the MoD.

5 0 Reply
Tuesday 21st September 2021 14:51 GMT Danny 2

Egregious numpties

This is appallingly bad. I've worked for some remiss employers, I've made mistakes myself, sometimes as sysadmin in compromised places, and yet nothing this basic would have failed.

The person who did it, and the person who hired them, should face serious criminal charges. The responsible minister should resign in disgrace and without any pension, if the word responsible still means anything after the Falklands War. This is akin to abetting terrorism. This is lives. None of my errors cost lives.

10 0 Reply
1. Wednesday 22nd September 2021 07:30 GMT SundogUK
  
  Re: Egregious numpties
  
  What the fuck has the Falklands War got to do with this?
  
  0 2 Reply
  1. Wednesday 22nd September 2021 07:40 GMT cshore
    
    Re: Egregious numpties
    
    Because Lord Carrington's resignation over the Falklands is often cited as the last time a government minister exhibited a sense of honour and resigned.
    
    11 0 Reply
2. Wednesday 22nd September 2021 10:06 GMT SCP
  
  Re: Egregious numpties
  
  At face value the failings here seem much deeper than the person who ended up posting the stuff.
  
  Why were the personal details available on an open system that made it possible to email. Either the data was not under a high security classification (given the entirely forseeable consequences to those at the sharp end, and the harm to the UK's interests) OR the general handling of such data is improper - which casts doubt on the entire department (or wider): this is a significant institutional failure.
  
  Given the earlier breaches of PERSEC during the initial evacuation (which might have resulted from the exigent circumstances of the operation) the concerns will have been widely known - there cannot be any excuse for not being on alert for further risks or not identifying and correcting failings.
  
  The whole thing smacks of a level of complacency that will (and probably already has) result in people getting killed; and if this complacent attitude is not stomped on it will result in even more people getting killed.
  
  1 0 Reply
3. Wednesday 22nd September 2021 11:37 GMT Cederic
  
  Re: Egregious numpties
  
  I fail to see why the Minister should be held accountable.
  
  This is a process failure. The Minister could (and may) have asked whether processes are in place, and has a reasonable expectation that the extensive cyber security training we all know the Civil Service must receive would be a measure to prevent this type of issue.
  
  That the training failed, the process wasn't followed and someone made a mistake shouldn't require Ministerial resignation. Otherwise we'll be getting through Ministers at the rate of several a day.
  
  0 2 Reply
  1. Wednesday 22nd September 2021 16:24 GMT Anonymous Coward
    
    Re: Egregious numpties
    
    "I fail to see why the Minister should be held accountable."
    
    You should work in Cabinet. You'd fit right in. There may be a position at the Post Office that would suit too. And perhaps even a gong!
    
    0 0 Reply
Tuesday 21st September 2021 15:47 GMT AW-S

How much can the ICO fine those responsible?

Would the calculation be based upon the MoD annual budget?

3% of £44.6 billion will keep the ICO afloat for some time to come. They might recruit some extra staff and deal with a couple of my complaints then.

5 0 Reply
1. Wednesday 22nd September 2021 11:58 GMT Cederic
  
  Re: How much can the ICO fine those responsible?
  
  I believe the ICO will ask if you've raised this with the responsible organisation and exhausted their processes first.
  
  Good luck finding the right people to even start those processes.
  
  I've given up trying to raise things with the ICO. For example they can't investigate because I didn't raise an issue with Google, even though I highlighted that Google are breaching the law in how they act towards over 40 million people in the UK and offer no direct means of contacting them to address this. Thanks ICO.
  
  1 0 Reply
Tuesday 21st September 2021 16:39 GMT Anonymous Coward

GDPR requires technical measures as well as organisational measures

The classic mistake of "using CC instead of BCC" is probably the main cause of unintended data breaches in general. It a form of human error and therefore any organisation-defined procedures are likely to have limited impact on reducing the occurance of such mistakes. That is why technical measures should be implemented by organisations (both public sector and businessess) to vastly reduce the scope for such mistakes to happen.

Indeed the GDPR covers technical measures, i.e. in GDPR Article 5(1)(f):

"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

However the ICO never seem to bother prosecuting any org who fails to implement any, or insufficient, technical measures. The vast majority of organisations are unlikely to bother implementing suitable technical measures until the ICO starts taking action due to their absence.

4 0 Reply
Tuesday 21st September 2021 17:31 GMT Ian 55

Takes about a minute to tell Postfix 'don't allow any outgoing email to have more than ten addresses in the to: or bcc: fields'.

Saved various people here lots of embarrassment over the years.

6 0 Reply
1. Monday 4th October 2021 12:07 GMT Ian 55
  
  'to: or cc: fields' of course. My fingers almost automatically change cc into bcc!
  
  0 0 Reply
Tuesday 21st September 2021 18:36 GMT Anonymous Coward

It's so much worse than that ...

The Taliban have already begun to identify people abroad and how they can be "persuaded" to do their bidding at arms length. This will just make that process so much easier.

Believe me, there are plenty of 100% "clean" Afghan people who have fled west than would pass any number of security checks and yet still end up having to follow orders or know their entire family back in Afghanistan are condemned to a pretty horrible fate.

1 0 Reply
Tuesday 21st September 2021 20:49 GMT Norman Nescio

It happens to the best of people...

El Reg in email address blunder (24 Oct 2011)

So, very nearly 10 years on, the same problem keeps on happening. We should not blame the victim, we should blame the software design that allows bungles like this to happen. Both email clients and MTAs should work together to query over-long CC-lists, but I recognise that the technical problem is not easy to solve. Setting up an MTA to refuse to forward an email with more than a set number of CC (or even direct) recipients is easy (deciding the 'set number' isn't), but if an email address is actually a mailing-list address, you can still (embarrassingly) send an email to all the inboxes of an entire organisation with a single entry in the To or CC field.

My email client tells me if I have an empty subject field. It does some pattern matching to ask if I have forgotten an attachment if an email contains certain keywords and lacks an attachment, so I think it is reasonably possible to have a client that warns on a long CC-list. Similarly, an MTA could put an email with a long CC-list in quarantine and send a message back to the sender asking if they are sure it should be sent. Really sensitive stuff could require two separate accounts to agree to release an email from quarantine.

Relying on fallible humans to get it right every time is a recipe for disaster. Lives really are at stake.

NN

1 0 Reply
Wednesday 22nd September 2021 11:39 GMT Fred Flintstone

Yes Minister again..

I'm presently working my way through the whole box set of Yes Minister/Yes Prime Minister.

Given the scandalous way that things are still going at government level it seems more a documentary.

1 0 Reply
Wednesday 22nd September 2021 13:00 GMT Robert Carnegie

I'm not clear if this has just now happened, or if the BBC held off on revealing the story until an initial attempt could be made to clean the mess up.

A mess which apparently includes one or more recipients doing a "Reply to all".

0 0 Reply