UK government criticized for inadequate security reforms following the fallout from the Afghan data leak

In a significant development, the UK's Science, Innovation and Technology Committee has summoned senior officials to explain why the government has not fully implemented the security recommendations made in a secret review following the 2021 Afghan data breach. The review, which was carried out in 2023, examined 11 major UK data breaches between 2008 and 2023.

The review found that each case had unique qualities, but common themes included a lack of controls over downloads, leaked information via "wrong recipient" emails, and hidden personal data in spreadsheets published online. Two individuals have been charged over alleged New IRA terrorism activity linked to cops' spilled data, and other breaches included a leak of data to Malian recipients instead of US military by the Ministry of Defence.

The information security review, which has now been made public following an intervention from the UK's Science, Innovation and Technology Committee and the information commissioner, also revealed that only 12 of the 14 recommendations have been implemented. It is not yet known what the two missing ones are.

The UK Ministry of Defence has apologised after Afghan interpreters' personal data were exposed in an email blunder, and another UK copshop has confessed to a data leak. The full list of recommendations had deadlines ranging from November 2023 to August 2024, and included matters such as ensuring the proper technical controls are in place and data protection processes are clearly visible on staff intranets.

The existence of the review was kept secret for a long time, even after the 2022 Afghan Breach became public. The government's ambitions of using tech to boost the economy and transform the public sector depend on the public trusting that it can keep their data secure.

Edwards, who led the review, suggested that the government should fully implement the recommendations of the Information Security Review which the Cabinet Office undertook following the PSNI breach. McFadden, a member of the committee, concurred with Onwurah on the necessity for the public to trust its data is safe in government hands. McFadden plans to meet with Edwards in September to discuss the review's findings.

A typo watch revealed that 'millions of emails' for US military were sent to .ml addresses in error, and the Police Service of Northern Ireland and Norfolk and Suffolk police forces also had data breaches that were part of the review. The Information Commissioner agreed to meet with the committee.

The review's findings are crucial for understanding how the government plans to stop dangerous data breaches and regain public trust. Edwards agreed that the government needs to go further and faster to ensure Whitehall and the wider public sector put their practices in order.

UK government criticized for inadequate security reforms following the fallout from the Afghan data leak