In February 2022, a British soldier inadvertently leaked a database containing personal information of approximately 25,000 Afghan nationals who had assisted UK forces in Afghanistan. This breach, only discovered in August 2023, exposed these individuals to potential Taliban reprisals. The MoD’s response, or lack thereof, has since been under intense scrutiny.
The National Audit Office (NAO) recently criticized the MoD for failing to properly disclose the data leak. Despite the breach’s severity, the MoD included only a limited mention of the incident in its 2023 annual report, raising questions about the department’s commitment to transparency. The MoD contends it had an understanding with the NAO regarding disclosure, but the NAO states it had no role in the decision and is now reassessing its audit approach.
In response to the leak, the UK government initiated the Afghan Response Route (ARR), a secret relocation scheme aimed at resettling those affected. Initially estimated to cost £7 billion, the program was later reduced to £850 million. As of July 2025, the scheme has relocated approximately 16,000 individuals to the UK, with plans to include more than 42,500 individuals before an independent review questioned its necessity.
The MoD’s handling of the data breach has been widely criticized. Critics argue that the lack of transparency and the prolonged secrecy surrounding the ARR scheme have hindered public and parliamentary scrutiny. The use of a superinjunction to conceal the operation from the public and Parliament has been particularly contentious, with concerns that it undermines democratic accountability.
Former Defence Secretary Ben Wallace accepted full responsibility for the incident, acknowledging the mishandling of the situation. The controversy has sparked debates over government accountability, data protection protocols, and the balance between national security and transparency.
In December 2023, the Information Commissioner’s Office (ICO) fined the MoD £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. The ICO found that the MoD had failed to have appropriate technical and organisational measures in place, leaving the security of personal information processed by the Afghan Relocations and Assistance Policy (ARAP) team at significant risk.
The MoD’s internal investigation found that similar data breaches had occurred on two other occasions in September 2021, exposing a total of 265 email addresses. The ICO’s guidance urges organisations to use bulk email services, mail merge, or secure data transfer services when sending any sensitive personal information electronically. The ARAP team had been relying on the use of the blind carbon copy field for security, which the ICO said carries a significant risk of human error.
The controversy surrounding the MoD’s handling of the Afghan data leak continues to unfold, with ongoing debates over the department’s transparency, accountability, and commitment to data protection.
Be the first to comment