Skip to content Skip to footer

Welcome to Rothstein Publishing!

Phone:+1-203-740-7400
0 items - $0.00 0
Close
Crisis Management InfoSecurity

Accidental Data Breaches

4 days ago

Accidental Data Breaches: Lessons From the PSNI and Afghanistan ‘Super Injunction’ Data Leak

by Charlie Maclean-Bristol

Charlie Maclean-Bristol discusses accidental data breaches and gives an insight into the key takeaways so similar breaches don’t occur in our own organizations.

Three things came together to inspire me to write on the above subject this week. Firstly, the news of the Afghanistan super injunction and its impact has been all over the news. Secondly, Kim, my wife, was on her weekly company call to discuss compliance and I overheard a long conversation about the importance of document security classifications. Lastly, there was a BBC Panorama on the threat from cybersecurity, focusing on the M&S and Co-op breaches which I watched last night. Hearing about the Afghanistan data breach got me thinking that not all data breaches, including those with serious consequences, are always caused by hackers – managers or other staff members are quite able to cause the breach themselves inadvertently, through a combination of poor procedures, training, and checking.

When I heard about the Afghanistan breach, it immediately reminded me of the Police Service of Northern Ireland (PSNI) breach, which occurred under similar circumstances. Due to an inadvertent error, it had a similar impact on those whose data had been lost. According to the PSNI report on the breach, published on the 11th December 2023, there have been no direct attacks due to the leaking of the data. However, it had lowered morale, put a number of police officers in fear for their families’ lives, and one had relocated to keep themselves and their family safe. There is some good information on the ICO website detailing the impact on PSNI staff.

In my reading, there is some debate on the impact of the data breach in the Afghanistan case. The Defence Secretary John Healey said he was “unable to say for sure” whether anyone had been killed as a result of the data breach, as most of the information contained in the breach was known to the Taliban already, whilst the Daily Telegraph investigation looked at the possibility of 200 Afghan lives being lost to Taliban attacks relating to lost data.

In both cases, there has been a significant human aspect and a greater individual impact than many other cyber ransomware attacks which have resulted in data exfiltration and subsequent disclosure.

PSNI Incident

On the 8th August 2023, the Police Service of Northern Ireland (PSNI) experienced a significant data leak, which resulted in the online publication of names, job roles, and locations of approximately 10,000 police personnel and staff. The incident stemmed from a mishandled response to a Freedom of Information (FoI) request.

The request had sought statistics on the number of officers at each rank and the number of staff in various grades across the service. In responding, PSNI released a spreadsheet that not only contained the requested figures, but also included embedded details such as surnames, initials, ranks or grades, work locations, and departments for all serving employees. This file was published on the FoI website ‘What Do They Know’.

It remained online for roughly two hours before PSNI realised the error and took it down. However, during that time, the data is believed to have been accessed, and there are concerns it may have been obtained by dissident Republican groups.

Afghanistan Incident

In February 2022, a serious data breach occurred within the UK Ministry of Defence (MoD) when a Royal Marine mistakenly sent an internal spreadsheet containing sensitive personal details of Afghan nationals applying to relocate to the UK under the Afghan Relocations and Assistance Policy (ARAP) scheme. The ARAP scheme was a government programme, offering resettlement to Afghan interpreters, security staff, and other local personnel who had worked alongside British forces, and were at risk following the UK’s withdrawal from Afghanistan.

The spreadsheet was intended to include a limited number of names for administrative processing, but it inadvertently contained embedded information on over 18,000 applicants—including full names, contact details, application statuses, and affiliations with British forces. This file was emailed via unsecured channels to multiple recipients.

The breach went undetected for over a year until August 2023, when parts of the data surfaced in an Afghan Facebook group used by applicants. At that point, officials became aware of the exposure. It is widely believed that during this time, the information was accessed by hostile actors, putting many applicants and their families at significant personal risk.

Following the discovery, the UK government launched a covert evacuation effort to relocate those affected, ultimately bringing thousands of individuals and their families to safety. The operation is estimated to have cost between £800 million and £850 million, making it one of the most expensive post-conflict humanitarian responses in recent British history.

Although the breach occurred in early 2022, the public and even many in government remained unaware of its scale and seriousness for over two years. This was largely due to a legal super-injunction imposed in September 2023, which prevented not only the publication of details about the breach but also any mention that such an injunction existed. The government argued that disclosure at the time could jeopardize national security and endanger lives. It wasn’t until July 2025—when the High Court ruled that the Taliban likely already had access to the data—that the injunction was lifted and the full extent of the breach was revealed to the public and Parliament.

Both breaches involved a spreadsheet and the inadvertent disclosure of information, so what can we learn to protect our own organization from making the same catastrophic error? In the PSNI case, there is a report on the incident published in December 2024 containing a number of recommendations to prevent this from happening again, from which I have summarized a majority of the recommendations. To date, there have been no recommendations from the Afghanistan breach.

Learning Points

  1. The need for robust policies and training in relation to data handling and dealing with FOI and Subject Access Requests (SARs). The PSNI report said that the training and procedures for the management of data were poor and confused, and roles and responsibilities were not clear. Dealing with these subjects in an organization is not always a high priority and not seen as core business, so there may be a great number of other organizations out there with similarly poorly defined procedures and responsibilities.
  2. Understanding the sensitivity of the data you are handling and having a culture that puts a high premium on protecting personal data. When the PSNI were preparing the FOI request, five different people were involved in the process of preparing the data and then checking it before it was sent out. My feeling is that getting the process right and providing what the person was asking for was more important than looking at the data which might have been held in the spreadsheets. Organizations need to be hyper-aware of the data they hold and the value and impact if it is lost. This needs to be embedded in the organization’s culture.
  3. Understanding spreadsheets. In both breaches, data was hidden in the spreadsheet and was not deleted or noticed before the spreadsheet containing sensitive data was sent out. The PSNI report mentioned that there was not a high understanding of Excel, and so this made it more likely that data might have been inadvertently sent out. In 2023, the ICO developed a checklist for checking Excel spreadsheets before they are sent out, and also a guide on “How to disclose information safely.” They also recommend sending CSV or PDF files, which are much less likely to contain hidden data.
  4. Act fast if you detect a data breach. The PSNI was able to remove the information within three hours of it being posted. If the site is posted on a third-party site or on social media, this is probably a lot easier if you are a police force than a private company, but at least have a plan for trying to get this taken down. It may be worth discussing this with lawyers beforehand and they will be able to tell you whether a legal approach may speed up the process of making that data unavailable. The Irish Health Service Executive, after their data breach in May 2021, took out an injunction which made it an offense to use the health data released, and this might be an option for your organization.
  5. Have a plan. Have a data breach plan which lays out the roles and responsibilities for a data breach and the actions which need to be taken in response to it. As we see from these two cases, it is not always hackers who cause the breach. As part of the plan, be aware of your statutory notifications and when they have to be carried out. If you hold data on non-UK personnel in jurisdictions outside the UK, then you should be aware of their notification requirements.
  6. Have a communications plan. As part of the plan, you should have thought through how you would communicate in the event of an accidental breach. Much of the playbook for communications after a cyber incident may not work, as the breach was not caused by external parties.
  7. Have a disclosure culture. I am sure lots of disclosures take place and they are never disclosed, as the person who is aware of them keeps quiet and hopes the breach is not noticed. In the Afghanistan case, the breach was not brought to the authorities’ notice for a year and a half. Was anyone aware of this and kept quiet? I am not sure. We need a culture in our organizations where staff are confident to declare a breach, and their automatic reaction is not to cover this up to protect themselves. Those discovering a data breach should be able to recognize a breach has taken place, take steps to prevent any further disclosure, and be able to report it appropriately.

In the Panorama program I referred to at the beginning of this bulletin, the National Crime Agency (NCA) person interviewed said this was the worst year ever for cybercrime so far, and there seems to be no end to the number of attacks. All organizations need to take appropriate measures to protect themselves from a cyber attack, but we must recognize the impact of an internal breach and make sure that we have the internal procedures, training, and culture, to ensure that a similar breach to the PSNI or Afghanistan one does not occur.

++++++++++++++++++++++++++++++++++++++++++++++++

This article was originally published by BC Training Ltd.

Charlie Maclean-Bristol is the author of the groundbreaking book, Business Continuity Exercises: Quick Exercises to Validate Your Plan

business-continuity-exercise-rothstein-publishing

“Charlie drives home the importance of continuing to identify lessons from real-life incidents and crises, but more importantly, how to learn the lessons and bring them into our plans. Running an exercise, no matter how simple, is always an opportunity to learn.” – Deborah Higgins, Head of Cabinet Office, Emergency Planning College, United Kingdom

Click here for your FREE business continuity exercises!

 

Rothstein Publishing Logo

Stay in touch with Our Updates

We don’t spam!

Tags:
0Likes
E-mail
Password
Confirm Password