The British Ministry of Defense shared email addresses and PII on more than 260 Afghan interpreters in a bulk email that was sent out to people trying to relocate to the UK. The list included people still in Afghanistan as well as some that had been able to flee the country.
Former Defense Minister Johnny Mercer told BBC Radio: “The reality is we’ve left the vast, vast majority of our interpreters behind so this is going to have a profound impact on people who are still in the country.” Mr. Wallace revealed to the Daily Mail that the UK “has been unable to contact eight of the 260.” The email was sent to the interpreters by the team in charge of the UK’s Afghan Relocations and Assistance Policy (Arap). Apparently, some of the recipients did not notice that all of the emails were exposed, and they replied to the outreach with details of their personal situations.
<p>The Ministry of Defence has launched an investigation into the data privacy failures and has reportedly taken steps “to ensure this does not happen in the future.” But with two serious data breaches happening within days, and another breach happening only a few months ago when a member of the public discovered sensitive documents at a bus stop, serious questions must be asked about how such violations are allowed to happen.</p>
<p>Furthermore, while the immediate priority must be to secure the safety of those put at risk by the MoD’s haphazard email processes, those responsible must ultimately be held to account. Lives have been put at risk and this is simply unforgivable.</p>
<p>When we add up the costs of data breaches, rarely do we consider human lives. But that’s exactly what has the potential to happen with a UK Ministry of Defense data breach that inadvertently sent out an open email to those Afghans who collaborated with the British during the long war. Because all received the email addresses and personal information of everyone else, it is inevitable that this information will fall into the hands of those that wish them harm.</p>
<p>This is an inexcusable mistake by the Ministry of Defense, and no amount of advice on managing risks can make up for it. We should treat all correspondence as if those people’s lives will depend on getting it right. Not doing so normally is simply an error in judgment, but in this case, it has life-threatening consequences.</p>
<p>No better story that exemplifies that data is life – and lives are at stake. Like the Colonial pipeline IT breach – if an enterprise\’s data and resources are compromised – lives can be at risk. The sad part is the best practices for cybersecurity have been detailed and most cyber incidents can be avoided if these practices are followed. </p>
<p>It doesn\’t matter if the guidelines are the NIST Cyber security framework 800-53, which is the general guideline for cybersecurity put out by the U.S. Department or commerce – or the new NIST 800-171 which details best practices to secure data for defense contractors – the best practices are known, documented and communicated. The rush to deployment of resources – often leaves many of these steps ignored. Unfortunately, to our own peril.</p>
<p>Even with the most sophisticated network defense available, security compromises can happen in seemingly innocent ways. This is a serious reminder that we need to invest in cyber security training and talent. As a community, we need to improve the way communications and sensitive data is handled or we will continue to face these kinds of issues.</p>