\n<\/p>\n
Ministry of Defence staff were warned before the Afghan data leak not to share information containing hidden tabs, according to documents released by the UK’s data regulator.<\/p>\n
Last month it emerged that the details of almost 19,000 people who had applied to move to the UK were leaked when an official emailed a spreadsheet that contained a hidden tab with the information.<\/p>\n
Documents released by the Information Commissioner’s Office (ICO) also show that staff there raised concerns about why the body had not issued a fine to the MoD.<\/p>\n
The MoD said they had worked to improve data security, but an ICO spokesperson said the government had not yet done enough to learn the lessons.<\/p>\n<\/div>\n
According to an ICO memo, guidance in place at the time of the leak showed that the “MoD was aware of the risks of sharing data and explicitly referenced the need to remove hidden data from datasets”.<\/p>\n
Hidden tabs are a common feature in spreadsheet software and make information invisible to the user, but still easily accessible if the settings on a document are changed.<\/p>\n
The government estimates that the 2022 leak, which led to an emergency resettlement scheme for people at risk of persecution by the Taliban, will eventually cost around \u00a3850m.<\/p>\n
A super-injunction granted by the High Court in September 2023 prevented the incident being reported for almost two years, before the order was lifted last month<\/a>.<\/p>\n Shortly after the MoD became aware of the data breach in 2023, they informed the UK’s data regulator, the ICO. The two bodies held a number of secret meetings over the next two years and documents published by the regulator reveal some of what was discussed.<\/p>\n They say that government officials described the leak as likely “the most expensive email ever sent”, and internal emails also show that ICO staff raised concerns about why the body had chosen not to independently investigate the MoD or issue a fine.<\/p>\n Data breaches by public bodies must legally be reported to the ICO, which can then decide to investigate and potentially fine the organisation responsible.<\/p>\n ICO staff privately discussed the potential “reputational risk” to the regulator after it chose not to take action against the MoD, despite issuing a \u00a3350k fine for a much smaller Afghan data breach in 2023.<\/p>\n In an email sent the afternoon before the leak became public, one ICO staff member said their justification for not fining the government was still an “imperfect answer”.<\/p>\n The documents were published by the ICO earlier this month following a Freedom of Information request which was not submitted by the BBC.<\/p>\n<\/div>\n Written notes were forbidden during the secret meetings, but an ICO memo detailing the whole timeline was drawn up after the incident became public just last month.<\/p>\n The memo says the MoD took “intensive measures to recover and delete data from all identified sources” and “limit loss of control” after the breach was discovered.<\/p>\n In a private email discussion, one ICO staff member questioned why it was “taking so long to decide whether to investigate” and said “if I was a journalist I would ask why has it taken two years to ascertain whether or not to take action”.<\/p>\n Another said the ICO had played a “significant role” but said “the reality is that we have only been able to review information in situ and been reliant on the MoD to gather evidence under our guidance”.<\/p>\n Documents show the ICO ultimately decided against sanctioning the MoD because it did not want to “impose additional cost to the taxpayer”.<\/p>\n