United Kingdom
UK Ministry of Defense
400,000 €
GDPR enforcement action by Information Commissioner (ICO) on 2023-12-13.
Rank · Sector
#18
of 357 in Public Sector and Education
Rank · United Kingdom
#17
of 28
Rank · All fines
#273
of 3,050
Case details
- Authority
- Information Commissioner (ICO)
- Date
- 2023-12-13
- Controller / Processor
- UK Ministry of Defense
- Sector
- Public Sector and Education
- Quoted Articles
- Unknown
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The UK DPA has fined the Ministry of Defense EUR 400,000 for disclosing personal data of individuals who were to be relocated to the UK after the Taliban took control of Afghanistan in 2021. The Ministry of Defense had sent an email to a distribution list of Afghan nationals who were eligible for evacuation without hiding the e-mail adresses and thus revealing the personal e-mail addresses and personal data of the recipients to the other e-mail recipients. The ICO stated that if the data had fallen into the hands of the Taliban, it could have led to a threat to lives.
Open original source
Links to the regulator's original publication or another source.
Related fines
United Kingdom
2020-10-16
22,046,000 €
ETid-58
British Airways
Transportation and Energy
United Kingdom
2020-10-30
20,450,000 €
ETid-60
Marriott International, Inc
Accomodation and Hospitality
United Kingdom
2026-02-23
16,610,000 €
ETid-3074
Reddit, Inc.
Media, Telecoms and Broadcasting
United Kingdom
2023-04-04
14,500,000 €
ETid-1730
TikTok
Media, Telecoms and Broadcasting
United Kingdom
2025-10-15
9,180,000 €
ETid-2898
CAPITA PLC
Industry and Commerce
United Kingdom
2022-05-18
9,000,000 €
ETid-1190
Clearview Al Inc.
Industry and Commerce