Thousands more Afghans are believed to be at risk after a cyber security breach at a third-party supplier used by the Ministry of Defence (MoD) has compromised the personal details of up to 3,700 individuals who were brought to the UK between January and March 2024.
The MoD announced on Friday afternoon that names, passport details, and other information from Afghans who arrived in the UK during this period had been potentially exposed due to a breach at Inflite - The Jet Centre, an MoD supplier that provides ground handling services for flights at London Stansted Airport.
This was not an attack directly on the government, but rather a cyber security incident on a sub-contractor that resulted in unauthorised access to its email accounts. It is believed that this breach may have affected former Tory ministers and other key stakeholders whose data may have been compromised during the period of January to March 2024.
This latest breach brings to mind another major data leak that occurred earlier this year, when it emerged that almost 7,000 Afghan nationals would have to be relocated to the UK following a massive data breach by the British military. The former Conservative government had set up a secret scheme in 2023 to relocate these individuals, who were not eligible for an existing programme.
The mistake exposed personal details of close to 20,000 individuals, putting them and their families at risk, with as many as 100,000 people potentially impacted. The previous Defence Secretary John Healey offered a "sincere apology" for the breach, acknowledging that no government wishes to withhold information from the public.
Speaking of the latest breach, a government spokesperson said that they were recently notified of the incident involving unauthorised access to a small number of emails containing basic personal information. The MoD takes data security extremely seriously and is going above and beyond its legal duties to inform all potentially affected individuals.
The incident has not posed any threat to individuals' safety, nor compromised any government systems. Inflite - The Jet Centre confirmed the breach, stating that it had reported the incident to the Information Commissioner's Office and was working with UK cyber authorities to support their investigation and response.
"We have contacted our key stakeholders whose data may have been affected during the period of January to March 2024 as a precautionary measure," Inflite said in a statement. "We believe the scope of the incident was limited to email accounts only, but we are taking all necessary steps to mitigate any potential impact."
As the UK continues to grapple with the fallout from this latest breach, it is clear that data security remains a pressing concern for governments and individuals alike.