IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

MoD reported seven data incidents to the ICO between 2020 and 2021

More than 4,000 people were affected according to the department's Annual Report and Accounts

The Ministry of Defence (MoD) formally reported seven data incidents to the Information Commissioner’s Office (ICO) between 2020 and 2021, the department's Annual Report and Accounts have revealed.

The most serious case involved an email account associated with MoD Schools - the institutions in place to provide education to the children of service personnel, mainly overseas - being compromised for a 72-hour period. During this time, details of students and parents were disclosed and affected 4,142 people. The ICO provided guidance in response and determined no further action was necessary, it told IT Pro.

A total of 4,331 individuals were affected by the combined seven incidents, the vast majority of which were those involved in the MoD School-related incident.

In another case, one individual emailed personal data, including identities and home addresses of MoD personnel, to external organisations and international media outlets, affecting a total of 147 individuals. The case was already being investigated by the Military Police and the ICO did not intervene.

A number of social media-based incidents also occurred involving one incident in which images from an incident logbook were posted to social media. The images were of an individual’s injuries, how they were sustained, and details of the affected individual.

Another individual also posted MoD documents to a closed social media group. These documents contained details of cadets and adult volunteers, affecting 30 people.

A separate incident saw an unredacted copy of criminal allegations incorrectly passed to the accused in administrative action. Affecting five people, the copy of allegations included the identity of the victim and details of the associated witness statements. ICO enquiries are ongoing, it told IT Pro.

The final incident involved one person’s name and location details mistakenly published to the House of Commons website as a result of submitting a question to their MP.

The ICO said it was made aware of all seven cases and in most instances, it simply provided the MoD with guidance without further investigation necessary. 

"We take the security of MOD personnel, systems and establishments very seriously," said an MoD spokesperson to IT Pro. "As soon as these incidents were reported, their severity was assessed and passed to the Information Commissioner’s Office in line with our obligations under the law.

"The Information Commissioner’s Office has not raised any concerns about MOD’s handling of these incidents."

Related Resource

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Whitepaper cover with solid red vertical line, and the title and Diligent logoFree Download

Commenting on the news, Donal Blaney, founder of Griffin Law, said: “Our courageous soldiers, sailors and air force personnel are willing to sacrifice their lives – often working under cover and in extreme conditions – so we can live in safety and freedom. 

“The least the Ministry of Defence could do is keep these brave heroes’ personal data safe and secure. Instead, their identities, and potentially the safety of their families and friends, have been put at risk by superannuated MoD pen pushers who are not fit to lick their boots. The Information Commissioner needs to investigate these breaches and bring those responsible to justice.”

The MoD’s data controller specified an additional 552 incidents that occurred within the department but didn’t meet the criteria for reporting to the ICO, representing a slight increase in cases from the 546 reported in 2019-20.

Most recent incidents included cases of inadequately protected electronic equipment or paper documents from in and outside government premises being lost, insecure disposal of inadequately protected paper documents, and other cases of unauthorised disclosure of data.

Details of a ‘record number’ of security breaches at the Ministry of Defence was revealed earlier in 2021 after a number of heavily redacted documents were handed to Sky News.

The information gleaned from the redacted documents did not match up with the aforementioned incidents as reported in the latest Annual Report and Accounts from the MoD but did reveal secret information belonging to the department was exposed to hostile states.

Other incidents involved data sent to an unauthorised domain, potential compromises to MoD-owned systems, misconfigured infrastructure and more.

Speaking at the time, an MoD spokesperson said: “The MoD takes the security of its personnel, systems and establishments very seriously and continually seek to improve security incident reporting.

“We have recently introduced policy, processes and tools to make internal and external reporting easier and more efficient, and the increase in reports can be largely attributed to these improvements.”

In September 2021, an MoD data breach within the Afghan Relocations and Assistance Policy team also saw the lives of Afghan interpreters put at risk after the Taliban seized control of the country a month earlier.

Many of the individuals affected were hiding at the time, but their names emails and, in some cases, pictures were included in an email sent without concealing the full recipient lists' identities. Around 250 people were thought to be affected by the incident.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download


Ransomware group Conti threatens to overthrow Costa Rican government

Ransomware group Conti threatens to overthrow Costa Rican government

17 May 2022
UK plan to abandon big tech regulator powers “makes no sense”
Policy & legislation

UK plan to abandon big tech regulator powers “makes no sense”

3 May 2022
How governments can build resilience in a new normal

How governments can build resilience in a new normal

27 Apr 2022
Google Cloud wins tender with Israeli judiciary

Google Cloud wins tender with Israeli judiciary

12 Apr 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022