UK Ministry of Defense

€400,000

Insufficient technical and organisational measures to ensure information security

Decision Date

December 13, 2023

Authority

Information Commissioner (ICO)

GB

Sector

Public Sector and Education

Country

GB

Law

GDPR

Status

FINAL

Description

The UK DPA has fined the Ministry of Defense EUR 400,000 for disclosing personal data of individuals who were to be relocated to the UK after the Taliban took control of Afghanistan in 2021. The Ministry of Defense had sent an email to a distribution list of Afghan nationals who were eligible for evacuation without hiding the e-mail adresses and thus revealing the personal e-mail addresses and personal data of the recipients to the other e-mail recipients. The ICO stated that if the data had fallen into the hands of the Taliban, it could have led to a threat to lives.

Issues & Violations

Insufficient technical and organisational measures to ensure information security
View Official Document
Back to Fines Database
Previous Fine
Spanish Data Protection Authority (aepd) - VACACIO...
Next Fine
Data Protection Authority of Hamburg (HmbBfDI) - C...

Stay Updated on Privacy Enforcement

We respect your privacy. One email per month, no spam, unsubscribe anytime.