The Ministry of Defence (MoD) staff were advised not to share information containing hidden tabs, according to documents released by the UK's data regulator. Last month, it was revealed that nearly 19,000 people, who applied to move to the UK, had their details leaked due to an official emailing a spreadsheet with a hidden tab.
Documents released by the Information Commissioner's Office (ICO) indicated that staff raised concerns about the lack of a fine issued to the MoD for the breach.
The MoD claimed they had taken steps to improve data security, but an ICO spokesperson stated that the government had not made sufficient progress to learn from past mistakes.
According to an ICO memo, guidance in effect at the time of the leak underscored the MoD’s awareness of data-sharing risks and specifically mentioned the need to eliminate hidden data from datasets.
Hidden tabs in spreadsheets can render information invisible while remaining accessible if document settings are altered.
The UK government estimated that the leak, which prompted an emergency resettlement scheme for individuals at risk from the Taliban, may eventually cost around £850 million.
A super-injunction enforced by the High Court in September 2023 restricted reporting on the incident for nearly two years, until the order was lifted last month.
Post-discovery, the MoD promptly notified the ICO about the data breach, leading to several secret meetings over two years resulting in the release of some discussed documentation.
Officials from the government described the leak as likely 'the most expensive email ever sent', while ICO emails revealed internal discussions about why the regulator chose not to independently investigate the MoD or apply sanctions.
Legally, public bodies must report data breaches to the ICO, which can then initiate investigations and impose fines.
ICO staff discussed potential reputational risks for the regulator after opting against taking action against the MoD, especially compared to a £350k fine imposed for a smaller data breach in 2023.
Notes were prohibited during the secret meetings, but an ICO memo outlining the incident's timeline surfaced after the leak was revealed last month. The memo indicated the MoD took significant measures to retrieve and delete data from all identified sources to limit control loss after the breach was uncovered.
The ICO affordable discussed the delay in making an investigative decision, questioning the time taken to ascertain whether action was necessary, likening the situation to that of a journalist trying to understand the investigative delays.
Ultimately, the ICO resolved not to sanction the MoD, citing a desire to avoid adding costs to taxpayers.
In the past four years, noted instances revealed 49 distinct data breaches in the unit managing relocation applications for Afghans seeking safety in the UK, as reported last week by BBC News.
According to an ICO spokesperson, the organization worked concertedly to identify and rectify breach causes, aiming to learn critical lessons from these incidents.
They indicated that the government has yet to exert adequate effort in ensuring necessary improvements and raised standards.
An MoD representative remarked that the government made essential attempts to enhance data security through improved software, training, and data expertise.
They added, 'We worked closely with the ICO during an internal investigation and fully accepted all recommendations to prevent future incidents.'
