Lessons from the Ministry of Defence (MoD) data breach

Data security is about more than protecting digital assets - it's about protecting people and their right to privacy

Data security is about more than protecting digital assets - it's about protecting people and their right to privacy

Now and again, an incident occurs which casts new light on the importance of data security. Data breaches today have become so common that we are now desensitized to stories of malicious attacks and hackers. However, for the 250 Afghan interpreters who fell victim to the UK’s Ministry of Defence (MoD) data incident recently, the impact is immeasurable. 

The MoD has fallen into the same human-error shaped hole which thousands of organizations across the globe find themselves in, every year. While humans are at the heart of business, errors will occur; human error, after all, is human nature. However, not every mistake can be treated as a learning experience. 

The subject of great outrage, the MoD are currently under investigation for an incident which, given the appropriate security practices, could have been prevented.

MoD data leak - what happened?

On 20th September 2021, it was reported that the MoD had failed to protect personally identifiable information (PII) for 250 Afghan interpreters. The story highlights the devastating impact of an entirely avoidable security incident; the email addresses for 250 individuals were incorrectly Cc’d for all to see.  

As with the vast majority of reported data incidents today (over 70% in the UK, according to the ICO), the MoD incident is reportedly due to basic human error. 30 minutes after the initial email was sent, the MoD circulated a second email with the subject line “Urgent - Arap case contact”, telling recipients to delete the previous email and warning "your email address may have been compromised". 

And now, just days later, the BBC has uncovered a second incident involving an email sent a month earlier which mistakenly displayed the email addresses and names of 55 individuals.

With the incident under investigation and the story continuing to unfold, the MoD remains the subject of great criticism.

Data protection is people protection

By its very nature, the disastrous fallout of this particular data incident is rare. However, this is an opportunity to consider the way data is handled today:

“The Afghanistan/MoD data leak news is a stark reality of what can happen when digital communications are not safeguarded (...) All business leaders need to sit back and review how sensitive information is being shared and what support their workforce has to communicate securely. Commonly, incidents such as this result from human error (...) Organizations need to focus on how they can empower their individuals to be able to share information securely when they need, with confidence and with ease to avoid a potentially damaging situation.” - Wouter Klinkhamer, CEO at Zivver

Protecting personally identifiable information (PII) goes beyond ensuring compliance; it is about respecting an individual’s right to privacy. As Maxine Holt points out, cyber security protects individuals, not just their data

“This incident is a stark reminder that cybersecurity is not just about protecting computer systems and data that we can't touch. Cybersecurity protects people. The failure to protect the PII of Afghan interpreters by the MoD has implications far beyond a compliance violation.”

Too much emphasis today is placed on isolated aspects of data loss prevention strategies. We cannot rely solely on people when human error remains the leading cause of data loss. Equally, technology is not a cybersecurity silver bullet. IT policies and procedures are good on paper but unlikely to guarantee best practice if the aforementioned areas are lacking.

We’re only as good as our tools

Today, cybersecurity goes beyond compulsory training and approved supplier lists. A ‘security-first’ culture is one in which employees are empowered with tools they require to perform their jobs as securely and efficiently as possible.  

While email remains a powerful tool, it leaves a lot to be desired on the matter of security. Fortunately, technology is escalating to pick up where traditional email clients leave off. By automating manual tasks and alerting users in real time to potential errors, machine learning leaves no room for human error in outbound communications.  

Accidentally using Cc in place of Bcc accounts for thousands of data breaches annually in the UK, and appears to be the cause of the MoD data incident. That a seemingly small mistake can have such disastrous consequences is an undeniable signal for organizations to harness the power of existing technologies to intervene - not to replace humans, but to empower them in behaving as securely as possible.

Most standard email clients still lack an effective revoke function. And, beyond informing a recipient that a message includes sensitive information, the sender cannot apply the appropriate controls to protect their communications. In the instance of a data leak, employees are unable to act accordingly; they cannot determine when a message was accessed, by whom, or take the necessary steps to control the situation - all of which are issues likely experienced by the individuals involved in the MoD leak.

Whether accessing platforms on a private network or logging into a mobile banking application, two-factor authentication is a familiar practice to most of us. The same principle applies when sharing PII via email; every precaution must be taken to ensure only authorized individuals can access messages and attachments via the most user-friendly (and familiar) methods possible.

In addition, email encryption is vital in protecting sensitive data. Encrypting the connection between the sender and recipient’s server prevents unauthorized users from intercepting communications whilst in transit. And, if an unauthorized user does gain access to encrypted files, they cannot read them.

Turning best practice into standard practice 

As stated by Maxine Holt, maintaining data privacy should no longer be considered ‘best practice’ - it must be standard practice

It is not enough to demand employees ‘act securely’, utilize sub-standard technology, and complete compulsory training. Organizations are obliged to seek out security platforms robust enough to fulfil compliance, all the while aiding their people in safeguarding digital assets. 

A culmination of people, technology, and policy is needed to ensure truly effective data security today. 

Blaming people when technology and policy fails is a good way of turning your most valuable asset into your greatest security risk. Terms such as ‘insider threat’ and ‘weakest link’ are rife, and even ‘human error’ implies malicious intent within the workforce. In place of finger pointing, organizations must position employees as the data protectors they want to be, with the platforms they require to do so with confidence.

Find out how Zivver can support your organization in positioning people as data protectors today.

Written by
Picture of Rick Goud

Rick Goud

Before co-founding Zivver, Rick Goud was a healthcare consultant for Gupta Strategists. He studied at Erasmus University and holds a PhD from the UVA on the development, implementation and evaluation of healthcare support systems. The idea to launch his own company was conceived while he was a strategy consultant. Rick saw a strong need for a secure communication solution to protect sensitive data, and shortly afterwards, Zivver was born.

Originally published on October 1, 2021

Last update on October 1, 2021