In a revelation that has sent shockwaves through both the legal and humanitarian communities, the UK Ministry of Defence (MoD) has admitted to a staggering 49 data breaches linked to its Afghan Relocations and Assistance Policy (ARAP) programme over the past four years. This figure, uncovered through a Freedom of Information request reported by the BBC, is more than twelve times higher than previously acknowledged, raising profound concerns about the safety of thousands of Afghans who sought refuge in Britain after the Taliban’s return to power.
For years, the British government’s ARAP scheme has been a lifeline for Afghans at risk due to their connections with the UK’s military and diplomatic efforts in Afghanistan. Launched in April 2021, ARAP aimed to relocate those most vulnerable to Taliban reprisals. Yet, the very process meant to safeguard these individuals has instead exposed them to new dangers through repeated failures in data security.
Until recently, only four breaches were publicly known. Among these, a catastrophic 2022 incident stands out: a spreadsheet containing the personal details of almost 19,000 people fleeing the Taliban was mistakenly released by a staffer. According to Computer Weekly, this leak was initially kept from public view under a superinjunction—a strict court order preventing media coverage—that was only lifted in July 2025. The fallout was immense: thousands of Afghans were secretly relocated to the UK, their presence and identities concealed for years.
But the scale of the problem proved far greater. The newly revealed total of 49 breaches, as confirmed by the MoD, includes a host of incidents that have never been detailed to the public. The department has declined to comment on the specifics of each breach. However, previously reported cases paint a troubling picture. In 2021, more than 250 Afghan applicants were inadvertently copied into an email, exposing their identities and putting them at risk of Taliban revenge attacks—a mistake that prompted the government to introduce a rule requiring a “second set of eyes” on all external emails before sending.
Despite such remedial actions, data protection failures continued to mount. Two of the known breaches related to email security failures affected approximately 300 individuals. The most severe of these resulted in the Information Commissioner’s Office (ICO) imposing a £350,000 fine on the MoD—a rare move, given the regulator’s usual reluctance to fine government bodies for such incidents, as reported by Computer Weekly.
The catalogue of errors did not end there. Earlier in August 2025, a third-party services provider working with the MoD at Stansted Airport suffered a cyber attack, compromising the data of 3,700 people, including some associated with ARAP. This incident further exposed the fragility of the department’s data protection systems, especially when handling information as sensitive as the identities and locations of asylum seekers.
Lawyers representing the victims have voiced their outrage. Adnan Malik, head of data protection at Barings Law—which represents hundreds, and by some accounts, over a thousand Afghans affected by the breaches—said, “What began as an isolated incident, which the Ministry of Defence initially sought to keep from public view, has now escalated into a series of catastrophic failings. We urge the Ministry of Defence to be fully transparent with both those affected and the wider public. Victims should not be forced to learn the truth through legal action or news reports.”
The sense of betrayal among those impacted is palpable. Many Afghans who applied to ARAP did so in fear for their lives, trusting that the UK government would protect their identities and families. Instead, repeated lapses have left them exposed. Jon Baines, a senior data protection specialist at law firm Mishcon de Reya, told the BBC, “It is difficult to think of any information more sensitive than that which is involved with the scheme, and it baffles me why there were not better security measures in place.”
Cybersecurity experts agree that the root of many of these breaches lies in human error—misaddressed emails, missed security checks, and a lack of rigorous oversight. Jake Moore, global cybersecurity advisor at ESET, explained to Computer Weekly, “Sensitive data should always require stricter protection through encryption and extra human checks, especially when lives are at risk. Repeated incidents not only rub salt into the wound but show systemic weaknesses meaning security needs to be improved in organisational culture. Confidence in security can easily be lost and in this case the leaks threatened not only privacy but people’s safety.”
The MoD, for its part, has maintained that it takes data security “extremely seriously.” In a statement provided to the BBC on August 21, 2025, a spokesperson said, “We take data security extremely seriously and are committed to ensuring that any incidents are dealt with properly, and that we follow our legal duties.” The department has also pledged to refer any incident to the ICO if it meets the relevant thresholds for reporting.
Yet, critics argue that assurances are not enough. The ARAP scheme, which closed in July 2025, was plagued by “constant complaints relating to data security,” according to the BBC. With each new breach, trust in the UK government’s ability to protect those it promised to help has eroded further.
In an effort to address these failings, the MoD has recently turned to technology for solutions. Earlier this month, it appointed Australian cybersecurity firm Castlepoint Systems to deploy an artificial intelligence platform designed to improve data protection practices. Castlepoint’s proprietary, explainable AI model is intended to manage both structured and unstructured data, automate records management, and ensure compliance with privacy regulations. The company claims its technology can sift through vast datasets—far more than a human could manage—identify sensitive content, and apply the correct security controls.
This move comes alongside broader efforts within the MoD to modernize its IT infrastructure. The department has launched a certification scheme for organisations in the UK defence supply chain and has chosen IT services provider Kainos to develop a £50 million data analytics platform for the armed services. Still, the shadow cast by the ARAP breaches lingers, and for many, the question remains: can technology alone repair the damage done to those whose lives were put at risk?
As the dust settles, the demand for accountability and transparency grows louder. The full story of the ARAP data breaches is still unfolding, but one thing is clear: the stakes could not be higher for those who placed their trust—and their safety—in the hands of the British government.