We talk a lot about digital transformation. About the promises of smarter systems, AI safeguards, and the power of technology to protect us. But sometimes, it takes a story and a human story, to remind us what’s really at stake.
In 2022, someone at the UK’s Ministry of Defence sat down at their desk and sent an email.
It was probably a long day. Maybe they were tired, under pressure, working late. They clicked “Cc” instead of “Bcc.” A minor error is something we’ve all done at some point. But this wasn’t a weekly update or a budget approval chain. This was a spreadsheet containing the names and personal details of over 18,000 Afghan citizens who had supported British forces during the war. In that single click, lives were exposed and changed forever.
When Trust Breaks
These were people who had risked everything for British troops. Interpreters. Guides. Civilians who believed in the promise of democracy. Their reward? A name on a kill list.
The Taliban doesn’t need hacking tools when mistakes like this are so readily available.
The fallout was immediate and brutal. Some families went into hiding. Others were evacuated in panic. Over 4,500 people were relocated via a covert emergency scheme known as the Afghanistan Response Route. The cost of secrecy? A super-injunction that kept the story out of the UK Parliament and the press for nearly two years.
When the truth finally surfaced this week (July 2025) it wasn’t just the scale that was shocking, it was the silence. The cost. Amidst the realisation that, again, an institution that people trusted the most, failed.
This Isn’t the First Time
Sadly, this wasn’t an isolated incident. In 2021, the UK MOD made a similar error sending the names of 265 Afghan nationals to the wrong email group. Many of those individuals reported harassment and threats. The UK government later paid out compensation, at around £4,000 per person.
And beyond national defence?
- In 2023, the UK NHS in Scotland sent thousands of letters to the wrong patients containing highly sensitive medical data.
- In 2018, the UK Cabinet Office published the addresses of over 1,000 New Year Honours recipients, including celebrities, defence staff, and MI5 agents.
- In Australia, a Department of Human Services worker mistakenly released client data in a public submission, sensitive details exposed in a policy debate.
The pattern is consistent, and in this case it’s not cyberattacks or ransomware. It’s human error, an avoidable, recurring, and deeply personal mistake.
The Taxpayer Pays. And Pays Again.
The cost of these failures isn’t just emotional or ethical. It’s measurable, and staggering.
The UK MOD / Afghan leak is expected to cost the UK taxpayer between £850 million and £2 billion, once resettlement, operations, and legal settlements are included. And this doesn’t count the human capital lost, the trauma, the disrupted lives, the fear passed down through families and the reputational damage of one of the most esteemed defence institutions.
The UK is spending billions reacting to things that could have been prevented for a fraction of that cost. I studied psychology, and there is a very true saying, “respond to” do not “react to” or prepare in advance so you don't have to do either.
This Is a System Failure. Not a People Problem.
We need to be honest: people will always make mistakes. What failed here wasn’t the person, it was the system that allowed that mistake to have global consequences.
Email, in its default form, is not secure. It was never designed for sensitive, high-stakes communication So let’s stop pretending that training alone can fix this. The real solution lies in technology that’s designed with failure in mind, technology that assumes mistakes will happen, and steps in before disaster strikes … or better yet, creates an environment where the mistake is irrelevant.
What Tech Can (and Should) Do
Platforms like Zivver are already leading the way, building in AI based real-time alerts when sensitive content is shared or when too many external recipients are added. If someone hits “Cc” when they mean “Bcc,” Zivver catches it.
Tuta brings end-to-end encryption to email by default, ensuring that even if a message is misdirected, its content is unreadable to outsiders.
And of course, there’s WIRE designed from the ground up for secure, encrypted collaboration, where sensitive files and messages are shared inside a platform that respects zero-trust principles. It removes the reliance on email entirely, giving teams safer ways to communicate and share at scale.
These aren’t fringe solutions. They’re enterprise-ready. They’re used in healthcare, finance, and government today. The excuse that secure systems “slow us down” no longer holds water. Speed without safety isn’t efficiency, it’s recklessness.
A New Kind of Responsibility
This moment demands more than policy. It demands more than the routine promise of “lessons learned” or carefully worded apologies. It requires a profound cultural shift, one where digital security is no longer treated as a bolt-on or compliance checkbox, but as a fundamental part of how we work, communicate, govern, and lead. We must recognise that security is not simply a technical function, it is a moral one. And it must be embedded from the ground up, not retrofitted after harm has been done.
This isn’t just a UK problem, it’s a European responsibility, and even a global one. Because in an interconnected world, breaches do not respect borders. When a secure database in Whitehall is compromised, the impact can reach as far as Kandahar. When patient records are mismanaged in Brussels, lives are disrupted in real time. The systems we build across Europe, from asylum and immigration processes to justice platforms and digital ID networks, carry not just data, but the hopes, histories, and vulnerabilities of real people. In this context, sovereignty is no longer just about borders. It’s about control of our data, our ethics, and our accountability.
To meet this moment, government CIOs and CTOs across Europe must be empowered with the authority, funding, and political backing to empower CISO’s without hesitation to no longer be reactive players called in after a breach, but central actors at the strategic level helping guide and design procurement, and risk prevention. Public sector procurement must evolve as well, shifting its focus from lowest cost to highest consequence. We must stop asking only, “Does it meet the tender spec?” and start asking, “Does it preserve public trust, ensure digital sovereignty, and protect people at scale?”
And perhaps most urgently, leaders at every level whether they’re in the Cabinet Office, a city council, a European Commission directorate, or a local hospital board must ask the hardest question of all: “If our systems failed tomorrow, who would pay the price?” If the answer is “someone else’s life,” “someone’s safety,” or “a community’s trust in its government,” then we have a non-negotiable obligation to change the system now.
Because the reality is clear: in today’s digital society, we can no longer separate system risk from human risk. Our communications platforms are now frontlines. Our data infrastructure is inseparable from the lives it touches. And when the tools we depend on to serve and protect people are built without integrity, the fallout is not just technical, it is deeply human.
This is the new kind of responsibility. One that sees cybersecurity not as an IT issue, but as a question of dignity, trust, and power. A responsibility that demands we design systems not just to function, but to safeguard. Not just to perform, but to protect. In the world ahead, digital leadership means recognising that we don’t just secure systems …. we secure people. That is the frontier. That is sovereignty in the 21st century. And that is the future we must choose urgently, decisively, and together.
The Future We Choose
I believe in technology, in fact I have invested nearly 20 years of my life into spearheading technology that delivers innovation, change and value for communities, businesses and ecosystems.
But more than that, I believe in designing systems that respect people’s lives. Technology is not neutral, it either protects or exposes, empowers or undermines. The breach at the Ministry of Defence wasn’t a technical inevitability. It wasn’t some sophisticated hack from a hostile actor. It was the outcome of outdated systems and outdated thinking, a legacy approach that placed convenience above security, and habit above accountability. It was the byproduct of a culture that accepts “good enough” as sufficient, even when lives are on the line.
We can’t undo what’s already happened. We can’t reverse the fear that so many Afghan families felt when they realised their names had been exposed. We can’t bring back the trust that was lost in an instant. But we can do something even more powerful, we can choose to learn. We can recognise that every institution, every company, every public sector team has a responsibility not just to do better, but to build better. That means investing in platforms where secure communication is not an option, but the default. It means using technology that assumes humans will make mistakes, and is ready to catch them before those mistakes cause harm. It means moving beyond tick-box compliance and toward systems of proactive protection and verifiable trust.
And we must act with urgency. Because this was one breach. One error. One click. And it changed thousands of lives. Not metaphorically, but literally. That’s the weight of our digital decisions now. That’s the reality of operating in a connected world.
So let’s get this right. Let’s move beyond relying on good intentions, and start depending on great systems, systems that scale, adapt, and never forget the human at the other end of the message. Let’s design for dignity. Let’s protect people not just in principle, but in practice.
One click changed everything.
Let’s make sure the next one saves.
