Inquiry launched into Afghan data breach, MoD secrecy classifications linked

Parliament's Intelligence and Security Committee (ISC) has launched an inquiry into the Ministry of Defence (MoD) 2022 personal data breach that exposed the identities of thousands of Afghans and British military officials. The data breach, which led to an unprecedented superinjunction, meant the ISC was only briefed last week.

Chairman Lord Beamish has demanded the immediate provision of all related intelligence documents for review. The MoD has welcomed the scrutiny, committing full support to the ISC and other parliamentary committees. 

Meanwhile, the UK Defence Journal reports the MoD has confirmed that it has introduced a series of reforms in response to the data breach, including the commissioning of several audits. All the recommendations from these audits have been accepted and are either complete or are ongoing, according to Defence Minister Lord Coaker, following a written question from Lord Alton. He went on to confirm that prioritising data protection within the Defence Afghan Relocation and Resettlement (DARR) " is a key priority of this Government to reinforce data handling practices." 

The news comes as a report in the Financial Times (token applied) asks whether MoD policies intended to increase data protection may have inadvertently led officials to become less vigilant when handling less sensitive material. 

According to Matthew Savill of the Royal United Services Institute, the MoD has not fully adjusted to the information age and struggles to handle "sensitive" data that falls below the "secret" classification.

Former soldiers believe the email was likely misclassified as "official," the least rigorous security classification that permits internet access. The leaked dataset itself had no classification markings. Officials claim that many government agencies find it inconvenient to use "Secret" or "Top Secret" channels, which often require accessing a Sensitive Compartmented Information Facility (SCIF). In addition, the article notes that security measures prohibiting external link sharing can sometimes lead to officials simply attaching documents, turning a security measure into a vulnerability. Cross-government communications, in particular, were identified as being susceptible to such misclassification and mishandling.

Token applied - This Financial Times article should be free to access.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.