On Sept. 20, 2021, it came to light that the UK's Ministry of Defence (MoD) had committed a basic mistake: It had included the email addresses of hundreds of Afghan interpreters, many reportedly still in hiding in Afghanistan, within an outbound email.
Just today, a second MoD data breach involving Afghan interpreter email addresses was discovered, compounding the mistake.
This is more than a mere breach of data privacy; the ramifications include potentially endangering the lives of these individuals and their families.
Information security, as a discipline, focuses on protecting the confidentiality, integrity, and availability (CIA) of information; cybersecurity, as a subset of information security, focuses on protecting the CIA of digital information.
An individual's email address (business or personal) is categorized as personally identifiable information, or PII, and most organizations are bound by regulations to keep PII confidential. In the MoD security breach, email addresses and in some cases photographs of individuals were reportedly included.
This incident is a stark reminder that cybersecurity is not just about protecting computer systems and data that we can't touch. Cybersecurity protects people. The failure to protect the PII of Afghan interpreters by the MoD has implications far beyond a compliance violation. If that information gets into the wrong hands (and having 250 email recipients massively expands the opportunity for malicious actors to access this email and act upon its contents), there is the potential for the lives of the interpreters and their families to be endangered.
Maintaining data privacy must not merely be a "best practice" in organizations, it must be standard practice. Security controls require people, process, and technology to work successfully, and neglecting any single aspect of this means that these controls can be rendered ineffective. The MoD data breach highlights the importance of all three: People must be trained and educated to understand not only what they must do when it comes to data privacy, but also why they must do it; processes must be robust, clear, and enforced; technology must be able to identify potential mistakes and ideally prevent them before a worst-case scenario can occur.
The combination of people, process, and technology create security controls to protect the confidentiality of information trusted to the organization by an individual. Layering security controls helps organizations not only protect the data that it is responsible for, but in many cases, also helps protect the lives of the individuals whose PII is held.
Apologies from the MoD are no doubt likely. Apologizing after an event of this magnitude, however, is too little, too late.