The leak by the UK’s Ministry of Defence of identifying information for thousands of Afghans was the latest in a string of blunders that has raised questions about the department’s handling of sensitive data.
This week’s revelation — that a database with details of 25,000 people was emailed out in 2022 — followed a series of breaches in 2021 that saw the department later forced to pay £1.6mn in compensation to more than 250 individuals.
In those cases, an email was sent to a large number of people in the ‘To’ field without hiding the other recipients, a serious error as it would have revealed the names of those who had applied for resettlement in the UK to others on the list.
This week’s revelation has raised questions about the department’s digital prowess — or whether its staff are simply more likely to make errors in the fast-moving and intense process of relocating people from Afghanistan.
Former soldiers and officials also speculated that, in some cases, guardrails intended to increase data protection may inadvertently cause officials to become sloppier when handling less sensitive material.
“The MoD, like many government departments, has not fully adjusted to the information age and often struggles to know how to properly handle data that is ‘sensitive’ but not quite at the level of ‘secret’,” said Matthew Savill, who worked for two decades as an MoD official and is now director of military sciences at the Royal United Services Institute think-tank.
“People in the MoD are not blasé about this sort of thing but there is a real difference between how they treat ‘secret’ and ‘sensitive’.”
A number of former soldiers — who were not involved in the data leak — told the FT they believed the email in question was likely misclassified as “official”, the least rigorous of three security classifications and the only one which allows a user to access the internet.
The dataset itself bore no classification markings, according to people familiar with it.
Official classification is information “which could cause no more than moderate damage if compromised”, according to official guidelines.
Secret and Top Secret, the two other classifications, cannot be sent over the internet, and require a Sensitive Compartmented Information Facility (SCIF) to be accessed. These rooms prohibit private phones or other recording devices.
After it emerged on Thursday that the spreadsheet contained information on MI6 operatives and UK special forces, Savill said this may well have been a breach of the rules for protecting their identity.
Several former soldiers said emails sent to other government departments outside the military were particularly vulnerable to being misclassified. “Cross-government comms are very clunky,” said one.
In particular, information would have been shared with the Foreign Office or the Home Office — two agencies which were involved in resettling Afghans after the fall of Kabul.
Many government agencies “almost never” use Secret or Top Secret channels requiring use of a SCIF room. “Secret information can be very annoying to deal with if your SCIF is in another building, for example,” said another former soldier.
Security measures designed to stop access to MoD systems — such as blocking sharing links with external parties — could end up creating their own problems, Rusi’s Savill added.
“These mistakes are also a product of how information is shared — precisely to prevent there being too much external access to the MoD’s networks,” he said.
“Because you cannot share links with external parties, people end up just attaching the document. What is meant to be a security measure actually becomes a problem,” he added.
“There was a constant drive within defence on information management, with mandatory training — but a click box test every two years does not drive cultural change.”
The MoD has “specialist information managers”, who are intended to “stop you from making these kinds of mistakes”, he added. But a drive to cut the number of civil servants meant these would “always be seen as an overhead”, he added.
Others have questioned whether the MoD had a specific problem with treating Afghan data carefully.
Sara de Jong, a professor at the University of York who has worked with charities to bring Afghan interpreters to the UK, said there appeared to be “a structural disregard for handling their data carefully”.
She added that when the MoD did want to keep things secret “it does manage to do so”, contrasting the treatment of Afghans’ data involved in the breach with actions to keep the leak out of the public domain.
The MoD said this week it has taken steps to improve communication security, introducing new software, data training, and has appointed a new chief information officer.
“Since coming into office, this government has put a huge emphasis on improving data security across the Ministry of Defence,” it said.
Others have also been critical of the MoD.
Former Conservative MP Johnny Mercer, who served in Afghanistan before becoming a government minister, describing it as “mind-boggling” that a spreadsheet could have been sent “of all those with ties to the British state to an Afghan national”.
Defence minister John Healey and former defence minister Ben Wallace — who was in post at the time of the leak — have both apologised for what happened.
The soldier who sent the email behind the largest leak has not been named by the MoD, but UK officials have said they no longer work on Afghan relocation.
James Heappey, who was armed forces minister at the time of the breach, said that it was “gut-wrenching to find out that someone in the MoD had screwed up so awfully” but said it was wrong to blame one individual for the system.
“I also came to find out subsequently that they were incredibly dedicated to those we served with in Afghanistan,” he said. “Few had done more to get people who served alongside our special forces out of Afghanistan.”
The pressure of the moment — rushing to evacuate people as the Taliban swept into Kabul in August 2021 — may also have played a part in the earlier leaks. “Everyone was overworked and not sleeping much,” one former soldier said.
In this environment, mistakes can be made — and missed, said another former soldier.
It was possible that the spreadsheet was emailed to a long distribution list, they added, which might have included other government departments, as well as to an insecure civilian email address which no one noticed.
“At the end of the day we are all using Microsoft Stack,” the former soldier said, adding that it was “so easy to send an email to an uninitiated recipient”.
