Sponsored By

Enterprise cybersecurity technology research that connects the dots.

UK MoD Data Breach Shows Cybersecurity Must Protect Both People and Data

The UK MoD has failed to protect personally identifiable information (PII) for Afghan interpreters; the incident highlights how avoidable cybersecurity mistakes can have devastating consequences.

Maxine Holt

September 22, 2021

2 Min Read

On Sept. 20, 2021, it came to light that the UK's Ministry of Defence (MoD) had committed a basic mistake: It had included the email addresses of hundreds of Afghan interpreters, many reportedly still in hiding in Afghanistan, within an outbound email.

Just today, a second MoD data breach involving Afghan interpreter email addresses was discovered, compounding the mistake.

This is more than a mere breach of data privacy; the ramifications include potentially endangering the lives of these individuals and their families.

Information security, as a discipline, focuses on protecting the confidentiality, integrity, and availability (CIA) of information; cybersecurity, as a subset of information security, focuses on protecting the CIA of digital information.

An individual's email address (business or personal) is categorized as personally identifiable information, or PII, and most organizations are bound by regulations to keep PII confidential. In the MoD security breach, email addresses and in some cases photographs of individuals were reportedly included.

This incident is a stark reminder that cybersecurity is not just about protecting computer systems and data that we can't touch. Cybersecurity protects people. The failure to protect the PII of Afghan interpreters by the MoD has implications far beyond a compliance violation. If that information gets into the wrong hands (and having 250 email recipients massively expands the opportunity for malicious actors to access this email and act upon its contents), there is the potential for the lives of the interpreters and their families to be endangered.

Maintaining data privacy must not merely be a "best practice" in organizations, it must be standard practice. Security controls require people, process, and technology to work successfully, and neglecting any single aspect of this means that these controls can be rendered ineffective. The MoD data breach highlights the importance of all three: People must be trained and educated to understand not only what they must do when it comes to data privacy, but also why they must do it; processes must be robust, clear, and enforced; technology must be able to identify potential mistakes and ideally prevent them before a worst-case scenario can occur.

The combination of people, process, and technology create security controls to protect the confidentiality of information trusted to the organization by an individual. Layering security controls helps organizations not only protect the data that it is responsible for, but in many cases, also helps protect the lives of the individuals whose PII is held.

Apologies from the MoD are no doubt likely. Apologizing after an event of this magnitude, however, is too little, too late.

About the Author(s)

Maxine Holt

Research Director, Omdia

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong understanding of the Office of the CISO, the security challenges CISOs face, and how organizations can look to overcome these challenges.
 
Before rejoining Omdia (as Ovum) in 2018, Maxine spent over two years at the Information Security Forum (ISF) developing research in areas including Protecting the Crown Jewels and Securing Collaboration Platforms. Prior to the ISF, Maxine spent 15 years at Ovum covering topics including security, human capital management, and identity and access management. Maxine has a particular interest in how all the component parts of security combine to make up an organization's security posture. She focuses specifically on the Office of the CISO.
 
Maxine started her career as a software developer in the financial services industry. She gradually progressed into a systems analyst role and then moved into consulting for the financial services and Internet sectors. Maxine is a regular speaker at events and writes a monthly Computer Weekly article covering various aspects of information security.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights