Statement
On 21 September, I committed to update the House on an investigation into MOD data breaches concerning the email addresses of Afghan nationals who are eligible for the Afghanistan Relocations and Assistance Policy (ARAP), but at that time remained in Afghanistan.
Incident
The first report of a data breach was received on the evening of 20 September and consisted of 245 live email addresses. On 22 September, following my statement to the House, the MOD was made aware of a previous breach of 55 addresses – ten of which were in addition to the first breach – which had occurred on 13 September. Subsequent investigations identified that a third breach had occurred on 7 September involving an additional 13 email addresses not previously compromised.
Upon learning of the initial breach, I immediately ordered the undertaking of an investigation and any actions that would prevent further breaches. The investigation was conducted in two parts. The first addressed the circumstances of the breach, its causes and the immediate and longer-term actions required to prevent recurrences and mitigate any potential additional risks to those Afghan nationals affected. The second part of the investigation concerned the data handling and data protection arrangements that were in use by the ARAP team and made recommendations on how best to ensure an appropriate data handling regime was in place.
Investigation Findings
The investigation has concluded that the breaches arose in almost identical circumstances. All three took place in the ARAP casework team, tasked with providing personal support and advice to the cohort of ARAP-eligible Afghan nationals and all involved a group email to elements of that cohort, which used the ‘carbon copy’ instead of ‘blind carbon copy’ field to anonymise the recipients.
The cause of these mistakes was not simply human error in isolation, but a lack of written standard operating procedures and training, which should have prevented such a mistake being made. That in turn was assessed to be the result of several contributing factors, all arising from the intense speed, scale and operational pressure of the casework, and the fact that the team had been built and then expanded quickly in order to support the rapid increase in activity necessary as a result of the evacuation. As a result, some members of the team were inexperienced and insufficiently trained for such casework management.
The ARAP team’s efforts to evacuate as many Afghans as possible in a short period of time, was followed by a rapid transition to communicating with those who were unable to relocate, in order to begin providing follow-on support. In the haste of this transition the risks arising from changing how officials communicated – which had previously been done on an individual basis, often by telephone rather than email – were not fully recognised or managed.
The Ministry of Defence (MOD) has undertaken further investigation of any possible increased threat to those affected. Whilst media reports have indicated some localised Taliban reprisals against Afghan nationals formerly employed by Coalition Forces, the MOD assesses that the Taliban are not conducting centrally directed and co-ordinated targeting of ARAP-eligible persons. The investigation found that no further personal or locational information was revealed in the data breaches that has substantively increased the ability of the Taliban to target ARAP eligible persons.
All ARAP-eligible individuals whose details were involved were notified within thirty minutes on discovery of the breach on 20 September and advised on actions to minimise the risk to them and have subsequently been contacted to provide additional security advice. The MOD is not aware that anyone has come to harm as a result of these breaches, but continues to provide security support to ARAP-eligible families while they await relocation to the UK.
Remedial Actions
Significant remedial actions have now been taken to prevent such incidents occurring again. These include:
- Establishing new data handling procedures for ARAP casework management
- Ensuring all staff appointed to the ARAP team are fully aware of those procedures and trained in their proper employment
- Creating a ‘Registry’ function, with authority over data handling procedures and a remit to continually improve those processes and assure that all staff are familiar and compliant with them
- Appointing additional ARAP team members with specific responsibilities for all record keeping and information management
- Instigating a ‘two pairs of eyes rule’ so that any external email to an ARAP-eligible Afghan national must be reviewed by a second member of the team before it is sent
- Ensuring that any group emails, such as routine updates, must be authorised at the OF-5 or B1 level (i.e. Colonel equivalent).
As a consequence of the breaches, two personnel were suspended from the ARAP team, pending the outcome of the investigation. The individuals’ actions that contributed to the data breaches were not found to have been deliberate or negligent, but the result of insufficient training and data handling procedures. They have subsequently been reassigned to other roles, outside of the ARAP team.
The ARAP team has now received additional recommendations and support from Defence Digital (the directorate responsible for ensuring effective use of Digital and Information Technology (D&IT) across Defence) which are being applied to further improve the ARAP team’s handling and protection of casework data. Finally, the MOD reported itself to the Information Commissioner and will cooperate fully with all investigations and findings.
The remedial actions outlined above are already providing much greater assurance of data handling within the ARAP team. I am confident that their continued application is sufficient to prevent any recurrence, but have directed that the team seeks to continually improve its processes.
ARAP Progress
The data breaches detailed above were unacceptable and fell short of the high standards to which the MOD typically holds itself. They were also a breach of the trust many former Afghan staff have placed in us to honour our commitment and do all that we can to keep them safe. We continue that work and it is also important to reflect on the scale of the challenges and achievements of the ARAP team.
Since the scheme was launched in April over 89,000 applications have been made and many more continue to be received, each requiring detailed review and processing. As a result of these efforts more than 7,000 Afghan nationals (staff and their families) who worked in support of the Government’s mission in Afghanistan have now been successfully relocated to start new lives in the security of United Kingdom.
There were a further 311 ARAP-eligible Afghans who were called forward with their families during the evacuation operation, but sadly unable to board flights. There are now fewer than 200 remaining in Afghanistan and we continue to work with urgency to relocate all those who remain via a range of routes. Those who have left Afghanistan for third countries are being provided with support in-country and assisted to continue their journey to the UK. As part of that process we have already conducted five RAF flights, carrying more than 400 people. The flights will continue as long as necessary and the ARAP scheme is not time-bounded so any further applicants who are found to be eligible will continue to be relocated indefinitely.
The scale of these achievements should not be underestimated and has been made possible by the professionalism and determination of the ARAP team and their colleagues across Defence who continue to honour our debt of gratitude to the Afghan nationals who supported our operations in the country. ARAP remains a foremost priority for the MOD and I continue to closely monitor the progress of the ARAP team to ensure its performance remains of the highest possible standard.
I would like to take the opportunity to assure the House that although the impact of these breaches appears to have been limited, all breaches of personal data are taken extremely seriously by MOD.
Finally, I offer again my sincerest apologies to all those affected by these data breaches and assure them that we continue to make every effort to relocate them to the UK as quickly and safely as possible.