Secret MoD data breach led to thousands of Afghans being relocated to UK

On Tuesday, the news broke about a 2022 personal data breach, which occurred under the Conservative government led by Boris Johnson, that exposed the identities of 18,700 Afghans applying for relocation to the UK. The severity of the data breach was such that it led to the use of an unprecedented superinjunction taken out by Rishi Sunak's government to conceal the identities of those exposed. The unintentional error then led to the secret establishment of the Afghanistan Response Route (ARR) scheme, costing the taxpayer billions of pounds. 

The breached spreadsheet contained 33,000 records, including personal information of 18,714 Afghan applicants to now-closed relocation schemes that were in place prior to 7 January 2022. As the story continues to unfold, we now know that more than 100 British citizens were also contained within the dataset, including MI6 operatives, special forces personnel and other senior military officers, along with MPs, and government officials involved in the claims.

The Ministry of Defence (MoD) first became aware of the personal data breach in August 2023, after data appeared on a Facebook group. Fearing that public disclosure could endanger thousands of Afghans from the Taliban, the government obtained the superinjunction from Mr Justice Knowles, keeping both the personal data breach and the mitigation scheme secret for nearly two years. The additional step taken by Knowles (£) meant that, not only was it unlawful for anyone to reveal that the breach had occurred, but the existence of the secretive restrictions could also not be disclosed.

Speaking on Radio 4's Today Programme, Grant Shapps, the former Secretary of State for Defence at the time the superinjunction was imposed, said: "My focus was on two things … one, sorting out the mess and saving lives, and two, making sure that systems were in place which frankly should have always been in place to make sure this sort of sensitive information could never be sent on.

"There were British Special Forces and secret services on that list. It seemed to me that if there was any doubt at all, that erring on the side of extreme caution, a superinjunction meant that that was entirely justified."

In the High Court on Tuesday, Mr Justice Chamberlain lifted the superinjunction. Defence Secretary John Healey immediately offered a "sincere apology" for the data breach, expressing his discomfort with the previous lack of transparency. Healey revealed that he was briefed and issued with the superinjunction in December 2023 while still in opposition, but that other current cabinet members were unaware of its existence until after the general election.

The Labour government, which initiated a review into the response to the data breach in February, confirmed that it will now halt the ARR scheme, which was estimated to cost £850 million for 6,900 people. Approximately 900 Afghans are already in the UK or in transit, along with 3,600 family members, at a cost of £400 million. A further 600 invitations to those still in Afghanistan and their immediate families will be honoured. An additional 9,500 people will no longer be able to come to the UK under the ARR scheme. While the total costs of all Afghan resettlement schemes were estimated to cost up to £7 billion (£), ending the ARR scheme is projected to save an additional £1.2 billion. 

But the costs to the taxpayer don't end there. According to reports, compensation cases could cost an additional £1 billion to the taxpayer (£). One such case is being explored by Barings Law, which is preparing legal action on behalf of 1,000 affected individuals, many of whom have connections to the Afghan armed forces. Their situation highlights the serious risks of being associated with the leaked database that reveals the identities of those who assisted the armed forces in Afghanistan. Former Defence Secretary Ben Wallace, who initially sought the injunction, maintained it was always to prevent harm, not to cover up the issue. Nevertheless, the number of people under the ARR scheme continued to grow under the Conservative government. The Labour government announced their intention to end the scheme after conducting a year-long review, including the findings from a report by retired civil servant Paul Rimmer.

In a statement, the Information Commissioner's Office (ICO) confirmed that it was notified of the data breach in August 2023, within the 72-hour notice period required under the UK General Data Protection Regulation (GDPR). Having been unable to comment on this matter publicly until now, the ICO is keen to reassure the public that it has been working behind the scenes to support the MoD's internal investigation into this complex and sensitive situation. 

The statement clarifies that the ICO's role is "to consider the impact on people's data protection rights and what processes were in place to protect them." While acknowledging that "the stakes are simply too high" for an incident like this to occur again, the ICO said that it was reassured that the Ministry of Defence's investigation had led to the implementation of necessary measures to minimise risks and prevent similar incidents in the future. As such, the ICO is "satisfied that no further regulatory action is required at this time in this case."

However, in an interview with the BBC, Healey later conceded that he was "unable to say for sure" whether anyone had been killed as a result of the breach.

An article by data protection specialist Jon Baines reflects on the ICO's decision to take no further action. Baines concludes that it "is very difficult to understand how" this latest MoD breach "did not meet the threshold for regulatory action," and warrant a fine under the ICO's proposed updates to its public sector approach announced in December 2024. 

The criteria for fine eligability include previous relevant infringements, such as the 2021 MoD data breach involving the email addresses of over 250 Afghan interpreters, which led to a £350,000 monetary penalty, and where there is "actual or potential harm to people," including "a high risk of actual or potential harm to affected people or their family members, including a threat to life following a data breach."

As the story unfolds, questions are mounting over why no one has been held accountable for the breach that put the lives of thousands of Afghans at risk and cost taxpayers billions to relocate them. During Prime Minister's Questions, Sir Keir Starmer expressed his anger over the Labour government inheriting a "major data breach, a superinjunction, and a secret route that has already cost hundreds of millions of pounds." He demanded answers from former Conservative ministers.

Pressure is also intensifying on the ICO to reconsider its decision not to investigate the data breach. Dame Chi Onwurah, Chair of the Commons Science, Innovation and Technology Committee, is writing to the Information Commissioner, asking for details on the ICO's role and pushing for a full inquiry into the "extremely worrying" leak and its security implications.

Speaking to the Independent, Baines expressed "unanimous bafflement" at the ICO's apparent disinterest, suggesting that enforcement extends beyond fines and that a report to Parliament could effectively highlight the persistent issue of hidden data in spreadsheets and ensure greater public accountability. 

Then on Thursday, Information Commissioner John Edwards issued an additional statement defending the ICO's decision not to take further regulatory action against the MoD. "It is important that we can explain, and be accountable for, those decisions," explained Commissioner Edwards. 

Edwards went on to clarify the ICO's decision-making process, which considers the impact of the breach, the organisation's response, lessons learned, and the unique value the ICO can add through investigation, balancing these against opportunity costs. 

Edwards explains how the ICO has worked closely with the MoD to ensure the causes of the breach were identified and rectified, lessons learned, and mitigation efforts implemented. In reaching its decision, the ICO weighed several factors: the egregious harm caused to affected Afghans, the urgent circumstances of the initial data sharing (intended to protect lives), and the fact that the ICO had already penalised the MoD for prior ARAP data handling failures. The ICO is confident the MoD has learned from these mistakes. The MoD's timely and comprehensive response, including substantial resource expenditure to implement preventative measures and protect affected individuals, was also a key consideration. 

Ultimately, the ICO determined that a formal investigation would add little beyond the existing public scrutiny, despite acknowledging the MoD's undeniable errors and serious consequences. Edwards stated that the ICO's role was to support the MoD's internal investigation to ensure necessary steps were taken. While satisfied that no further regulatory action is currently required, the ICO remains open to conversations with stakeholders if other accountability bodies require their specific investigative skills.

£ - These articles require a subscription. 

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.