Public Accounts Committee highly critical of MoD over Afghan data breach

A new report from the Public Accounts Committee (PAC) states it is not confident the Ministry of Defence (MoD) has done enough to reduce the risk of future incidents following the catastrophic 2022 personal data breach, which put thousands of Afghan citizens' lives at risk of Taliban reprisal. The data breach is estimated to cost the taxpayer at least £850 million, excluding legal and compensation costs.

The PAC report found that the MoD knew the risks associated with its management of highly sensitive personal data under the Afghan Relocations and Assistance Policy (ARAP). Furthermore, it states that the department was inappropriately relying on Excel spreadsheets stored on a SharePoint site, lacked adequate systems to manage high volumes of sensitive personal data, and failed to learn from multiple data breaches over successive years, including 49 separate breaches at the unit handling Afghan applications. The PAC is now demanding a full list of actions the MoD is taking to prevent future failures.

The committee highlighted the MoD's chaotic and inadequate response to the breach, noting that the department has not accurately accounted for the costs of the Afghan Response Route (ARR), the resettlement programme put in place as a direct result of the data breach. By June 2025, 3,383 people had arrived under the ARR, and the PAC is demanding six-monthly updates on resettlement activity and accurate cost capture.

The report also detailed the MoD's failure to enable effective Parliamentary scrutiny. The department informed only a single director at the National Audit Office NAO about a secret matter related to the data loss, withholding details on the operational consequences, the number of people affected, and the likely cost. This action prevented the NAO from fulfilling its duty of providing assurance to Parliament on the MoD's use of public money.

The Information Commissioner's Office (ICO) is mentioned 16 times in the report, mainly in relation to MoD decisions about reaching reporting thresholds. On the ICO's decision not to open an investigation, the report clarifies that the "ICO decided that it was not in a position to conduct its own investigation at that time, because of the restrictions resulting from the super-injunction and the classification of much of the relevant material as Secret or Top Secret. Instead, the ICO decided to review, oversee and propose lines of investigation to the Department's internal investigation team." 

PAC Chair Sir Geoffrey Clifton-Brown stated that the MoD knew the risks of using inadequate systems and called the department's decision-making "emblematic" of its poor quality. The committee is demanding an agreement with the MoD and the Comptroller & Auditor General (C&AG) on how to ensure timely information is provided for future sensitive situations. The PAC further criticised the slow pace of establishing a proposed Parliamentary oversight committee for sensitive defence work.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.