Dozens more UK Afghan data breaches uncovered
Ministry of Defence Reveals Dozens of Data Breaches in Afghan Relocation Unit
The Ministry of Defence (MoD) has revealed there have been 49 data breaches in the last four years at the unit responsible for handling relocation applications from Afghans seeking safety in the UK.
Four of these 49 breaches were already public, including a massive leak in 2022 of a spreadsheet containing the names of nearly 19,000 people fleeing the Taliban. This significant data leak, which forced thousands of Afghans to be relocated to the UK, was only disclosed last month after a High Court gagging order was lifted. The UK's information watchdog described it as a "one-off occurrence" due to a failure to follow standard checks, suggesting it did not reflect a wider culture of non-compliance.
However, lawyers for the affected Afghans argue that the new figures, released to the BBC under the Freedom of Information Act, raise questions about a culture of lax security within the resettlement programme. While the MoD has refused to provide details on each breach, previously reported incidents include officials accidentally sending applicants' email addresses or other personal information to third parties.
Adnan Malik, Head of Data Protection at Barings Law, which represents hundreds of Afghans affected by the worst of the attacks in February 2022, said:
"What started off as an isolated occurrence, which the Ministry of Defence attempted to keep from public knowledge, has now erupted into a sequence of events. We urge the Ministry of Defence to be fully transparent with both those affected and the wider public. Victims should not be forced to discover the truth through court action or news broadcasts."
ARAP and the History of Data Breaches
The Afghan Relocation and Assistance Policy (ARAP) was launched in April 2021 to help eligible applicants and their families who were at risk after working with British armed forces in Afghanistan. The scheme was closed in July of this year and has been criticised for inadequate data security, which has potentially endangered the lives of Afghans.
In September 2021, the email addresses of more than 250 Afghans were mistakenly visible to each other in an email from the MoD. In total, 265 email addresses were exposed across three separate incidents that month, leading to a £350,000 fine from the watchdog. One defence source described the revelations as "intensely difficult and embarrassing for the government to handle publicly."
Following these events, then-Defence Secretary Ben Wallace told MPs, "I want to make sure it's not just the poor guy who drafts the email that is held accountable," adding that the entire chain of command needed to be scrutinised to prevent a recurrence.
In November 2021, the Conservative government announced "major remedial steps," including new data processing and training, as well as a new "two pairs of eyes" rule requiring a second member of staff to review any external email sent to an ARAP-eligible Afghan national before it was sent.
The Most Significant Leak
Despite these measures, data leaks continued. The most serious incident occurred in February 2022 when a soldier at Regent's Park Barracks sent a spreadsheet to trusted Afghan contacts, believing it contained a small number of names. However, hidden data within the spreadsheet exposed the names, contact details, and other information of over 19,000 people, including their family members and associates.
The leak was only discovered 18 months later, in August 2023. The then-Conservative government sought a gag order to prevent the public from learning about the mistake, arguing that lives were at risk and that an injunction was necessary to avoid alerting the Taliban. This gagging order was not lifted until July of this year.
Jon Baines, a senior data security specialist at Mishcon de Reya, said the new figures show a "significant number of data leaks in connection with the ARAP programme." He added, "It's impossible to think of any data that is more sensitive than that which is embedded in the scheme. It baffles me why there are no better security systems in place."
Accountability and The Future
Of the 49 data leaks, seven were serious enough for the MoD to notify the Information Commissioner's Office (ICO). Three of these breaches, one in 2021 and two in 2022, were not previously made public. The ICO stated it had limited information on those breaches and did not take further action, but its relationship with the MoD is "ongoing." An ICO spokesperson said, "We continue to collaborate with the MoD so we can be confident that they have made the required changes."
The MoD has not taken action over the massive spreadsheet leak, stating there was "nothing we could do in this situation that would justify further allocation of funds away from other priorities." This has led to serious questions about whether the ICO should have conducted more in-depth investigations earlier and if further investigations are now urgently needed.
According to a Labour government source, previous Conservative administrations were to blame for ineffective data security measures. Since Labour came into power last year, new software and other improvements have been implemented. The source stated, "We've introduced a slew of new initiatives to boost data integrity, and we've revealed the largest Afghan data leak, which occurred under the previous administration, to encourage parliamentary scrutiny and accountability."
A Conservative Party spokesperson responded, "This data leak should never have occurred and was an unacceptable violation of data security legislation." They added that the then-government's first priority was to protect the individuals in the database. "We take data security seriously and are committed to ensuring that any incidents are dealt with properly and that we adhere to our legal obligations," an MoD spokesperson said. "All incidents that exceed the threshold under UK data privacy legislation are referred to the Information Commissioner's Office, and any lesser incidents are investigated internally to ensure lessons are learned."
