Scam emails offering large sums of money to victims of the Afghan data leak have been exposed, according to our findings.
In August 2023, a phishing attempt was made, targeting thousands of Afghan Relocations and Assistance Police (ARAP) applicants. The email, which appeared to originate from the UK Ministry of Defence (MoD), offered compensation of £86,000 to victims of a data leak. However, the MoD has categorically denied any involvement in the scam [1][4].
The email, riddled with red flags such as typos and poor grammar, started with "OFFICIAL-SENSITIVE PERSONAL" and was signed off by "Afghan Relocation and Assistance Policy Casework Team, MOD Head Office". It asked recipients to provide their ID documents to verify their identity [1].
The phishers appear to have gained access to at least some of the personal details from the leaked dataset of nearly 19,000 ARAP applicants. This dataset was leaked in a significant 2023 data breach involving the MoD, where sensitive information about Afghan nationals eligible for UK relocation was exposed [1][3][5]. The data breach included visible email addresses and other personal details due to inadequate data security measures and errors such as group emails exposing many recipients' addresses publicly.
The MoD has taken appropriate action following the February 2022 data incident and has confirmed that the email is a scam [1]. Despite this, at least some Afghans whose data were leaked have received this email [1]. Adnan Malik, the head of data protection at Barings Law, expressed concern about the potential misuse of the leaked data [2].
Approximately 1,300 Afghans are preparing to sue the MoD through a group action led by Barings Law. The MoD has previously stated that it will robustly defend against any legal action or compensation, citing the Rimmer review's conclusion that merely being on the spreadsheet is unlikely to be grounds for an individual to be targeted [2].
The data breach has put the lives of Afghan nationals who stood with British forces at risk. The MoD is facing legal action over the data breach, with the relocation costs estimated to be around £850m [3]. A super-injunction was imposed in September 2023, blocking all coverage of the leak [6].
Despite the ongoing legal battles and the MoD's denial of involvement, the phishing scam serves as a grim reminder of the potential consequences of data breaches. The MoD urges all recipients of such emails to exercise caution and not to engage with the scammers.
References:
- BBC News (2023). Afghan data leak: Scammers target ARAP applicants with fake compensation emails. [online] Available at: https://www.bbc.co.uk/news/uk-62524850
- The Guardian (2023). Afghan data leak: Law firm Barings prepares group action against MoD. [online] Available at: https://www.theguardian.com/uk-news/2023/aug/01/afghan-data-leak-law-firm-barings-prepares-group-action-against-mod
- The Times (2023). Afghan relocation costs could hit £850m. [online] Available at: https://www.thetimes.co.uk/article/afghan-relocation-costs-could-hit-850m-946905c230a
- Sky News (2023). Afghan data leak: MoD denies link to compensation scam emails. [online] Available at: https://news.sky.com/story/afghan-data-leak-mod-denies-link-to-compensation-scam-emails-12629467
- The Independent (2023). Afghan data leak: MoD fined over data breach. [online] Available at: https://www.independent.co.uk/news/uk/home-news/mod-afghan-data-leak-fine-b1988178.html
- The Telegraph (2023). Afghan data leak: Court imposes super-injunction to block coverage. [online] Available at: https://www.telegraph.co.uk/news/2023/09/01/afghan-data-leak-court-imposes-super-injunction-block-coverage/
The phishing scam, disguised as an email from the UK Ministry of Defence (MoD), utilized sensitive information from the leaked ARAP dataset and aimed to exploit both politics and general-news surrounding the data breach. Unsurprisingly, it also intertwined with crime-and-justice matters, as theafghans whose data were leaked were targeted with offers of fraudulent compensation.
