In early 2022, a British defence official inadvertently circulated a spreadsheet containing the personal data of over 18,700 Afghans who had applied to the UK’s Afghan Relocations and Assistance Policy (ARAP) or ex gratia schemes. This massive security lapse exposed these individuals to potential threats from the Taliban, as their identities and contact information were now accessible to hostile entities. The leak remained undetected until August 2023, when it was discovered that parts of the data had been published on Facebook, further amplifying the risk to those affected. (reuters.com)
The Ministry of Defence’s response to this breach was swift yet secretive. Recognizing the jeopardy to up to 100,000 individuals, the MoD launched Operation Rubific, a covert mission aimed at evacuating the most vulnerable Afghans to the UK. This operation, considered the largest peacetime covert evacuation in British history, was conducted under a superinjunction, preventing public disclosure of the breach and the relocation efforts. The superinjunction remained in place for 683 days, making it the longest in British legal history and the first sought by a government. (m.economictimes.com)
By May 2025, over 16,000 Afghans had been relocated to the UK under this secret scheme, with costs estimated at £2 billion. Despite these efforts, a review found no concrete evidence that the Taliban accessed the data or launched targeted attacks due to the breach. (reuters.com)
The breach also exposed personal details of over 100 British nationals, including MI6 spies and SAS troops, raising serious security concerns. The leaked data resurfaced on Facebook a year later, prompting further scrutiny of the MoD’s data handling practices. Defence Secretary John Healey issued a formal apology for the breach, emphasizing the ministry’s commitment to the security of its personnel, especially those in sensitive roles. (reuters.com)
In response to the breach, the Information Commissioner’s Office (ICO) fined the Ministry of Defence £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. The ICO described the breach as “egregious,” stating it “let down those to whom our country owes so much.” (ico.org.uk)
This incident has raised serious questions about the MoD’s data handling practices and its ability to protect sensitive information. Experts and former officials suggest that the MoD struggles to manage “sensitive” data with the same rigor as “secret” information, highlighting systemic flaws such as misclassified emails, flawed cross-government communication, over-reliance on external email for data sharing, and a lack of digital agility. (ft.com)
The breach also underscores the critical issue of supply chain security. The MoD’s payroll system, which was compromised, was managed by an external contractor, raising questions about the processes within the ministry for governing external contractor provision and ensuring compliance with security requirements. (chathamhouse.org)
In conclusion, the UK’s Ministry of Defence data breach serves as a stark reminder of the vulnerabilities inherent in handling sensitive information. It highlights the need for robust data protection measures, especially when dealing with personal details of individuals who have risked their lives in support of British operations. The incident has prompted calls for comprehensive reforms within the MoD to prevent similar breaches in the future.
Operation Rubific sounds like something straight out of a spy thriller. I wonder if the £2 billion price tag included a bulk discount on trench coats and sunglasses? Data protection clearly wasn’t a mission objective!