MoD Gets Fined £350,000 by the ICO

February 29, 2024

by Olena Nechyporuk

The Ministry of Defence (MoD) Gets Fined £350,000 by the ICO for infringing on the GDPR Principle of ‘Integrity and Confidentiality’.

The MOD sent emails inadvertently using the “To” field rather than the “Bcc” field. 265 unique email addresses were disclosed in breach of GDPR Article 5(1)(f). The MOD were fined £350,000.


Under the U.K. GDPR, organisations must implement appropriate technical and organisational measures in place to protect data, thus preventing data breaches. However, the MoD failed to demonstrate this when email messages were sent to multiple recipients with all email addresses exposed. The ICO has said they should have used bulk email services, mail merge, or secure data transfer services when sending any sensitive personal information electronically.

Read more