Last week featured reports on one of the UK’s most significant data breaches in a long time.
The breach itself goes back to 2022, when someone in the Ministry of Defence (MoD) leaked the personal data of thousands of Afghans who supported British forces. The leak has been described as a ‘mistake’, i.e. human error.
We are only finding out about this now because the superinjunction obtained by the UK government, preventing details from being made public, was lifted on Tuesday.
It is not difficult to see the extraordinary human impact this breach is likely to have or has already had, in addition to the eye-watering sums of money that will no doubt be involved in relocations and compensation. It comes as no surprise that the story hit the headlines in the way that it did.
Those, like me, working in data protection often experience an odd and rather contradictory reaction to stories like this.
On the one hand, the sheer scale of the human impact on the individuals concerned is appalling. For many of the people whose data was leaked, this is literally about life and death. But on the other hand, stories like this provide real-world proof that data and its protection matters – and it matters a lot. These moments are an opportunity for us to reflect on that and learn from the mistakes that have been made.
Data protection is a wordy piece of legislation, filled (unsurprisingly) with plenty of legalese. This may be necessary, but it has consequences.
People often feel it is unfathomable, or simply a tick-box compliance exercise. That is a shame, because, as this story so powerfully illustrates, the thing that matters most is the people behind the data. The more we engage with that, the easier it becomes to accept (and even, dare I say it, embrace) the requirements of the law.
One such requirement is that data should be kept secure and only disclosed to those who are properly authorised. It is one of the most important pillars of the law, and failures can be hugely consequential. This ‘mistake’ shows that, even at the highest levels, things can go very wrong.
And what is so extraordinary about this breach is its simplicity.
In a world so (rightly) exercised by AI and cyber-attacks, it seems almost impossible to contemplate that this devastating data loss was caused by someone simply sending an Excel spreadsheet somewhere they shouldn’t have. It is worth taking a moment to take that in. This was not a complex breach, masterminded by some anonymous, hooded hacker: this was an employee of a very senior government department sending out an email in error.
It brings to mind the breach that happened at the Police Service of Northern Ireland (PSNI) in 2023. In a strikingly similar set of circumstances, that breach occurred when a staff member mistakenly included a list of all employees in a response to a Freedom of Information Request.
That breach affected over 9,000 individuals and had a very significant impact on many of them. I am confident that if a serving PSNI police officer had been asked that morning what they were most fearful of as they headed off to work that day, they would not have said their employer.
Our lives, workplaces, and world are powered by and dependent on data. It has economic value, but also human value. We need to improve how we manage it, encompassing both our legal and ethical responsibilities in that knowledge.
The risks from malign external forces are very real, but so too are the risks from internal failures, and no one, not a single one of us, is immune.
There is a saying that goes something along the lines of ‘The wise learn from their mistakes, but the even wiser learn from the mistakes of others’.
