UK government dragged for incomplete security reforms after Afghan leak fallout

Senior officials are being summoned to the UK’s Science, Innovation and Technology Committee to explain why the government has not fully implemented the security recommendations made in a secret review following the 2021 Afghan data breach.

Chi Onwurah, chair of the committee that pushed for the secret review to be published on Thursday, said the previous government that oversaw the investigation has questions to answer over why only 12 of the 14 changes have been made.

Senior minister Pat McFadden and Information Commissioner John Edwards have been asked to explain the context around the review and how the government plans to prevent sensitive breaches from happening again.

The existence of the review, carried out in 2023, has never been publicized.

It examined 11 major UK data breaches between 2008 and 2023, including the Ministry of Defence’s (MoD) dangerous email blunder that exposed the details of Afghans who worked with British forces during the conflict with the Taliban, as well as British troops and spies.

The others included a similar email mistake made by the Police Service of Northern Ireland, Norfolk and Suffolk police forces, Digital ID, another MoD leak of data to Malian recipients instead of US military (.ml/.mil), and more in the public sector.

Overall, the review found that each case had unique qualities, but common themes included a lack of controls over downloads, leaked information via “wrong recipient” emails, and hidden personal data in spreadsheets in spreadsheets published online.

The full list of recommendations had deadlines ranging from November 2023 to August 2024, and included matters such as ensuring the proper technical controls are in place and data protection processes are clearly visible on staff intranets.

A committee spokesperson told The Register that it knows only 12 of the 14 have been implemented, but it does not yet know what the two missing ones are.

It hopes to understand this better following the meeting with McFadden and Edwards.

Onwurah said: “I’m glad that this information security review has finally been made public, but it’s concerning that it took an intervention from my committee and the information commissioner to make this happen.

“The government still has questions to answer about the review. Why have only 12 of the 14 recommendations been implemented? And why has it kept the very existence of this review a secret for so long, even after the 2022 Afghan Breach became public?

“Proper scrutiny on this is desperately needed, and it’s crucial we have a better understanding of how the government plans to stop these dangerous data breaches.

“For the government to fulfill its ambitions of using tech to boost the economy and transform our public sector, it needs the public to trust that it can keep their data secure. If it can’t, how can anyone be comfortable handing over their personal information?”

McFadden concurred with Onwurah on the necessity for the public to trust its data is safe in government hands, according to a letter he sent that was published by the committee.

Regarding the recommendations, McFadden, the chancellor of the Duchy of Lancaster, said: “Good progress has been made but we must guard against complacency.”

Edwards also agreed, saying: “The government needs to go further and faster to ensure Whitehall, and the wider public sector, put their practices in order. As a matter of urgency, the government should fully implement the recommendations of the Information Security Review which the Cabinet Office undertook following the PSNI breach.”

The Information Commissioner agreed to meet with the committee, and McFadden said he plans to meet with Edwards in September to discuss the review’s findings. ®

READ MORE HERE