The United Kingdom’s Ministry of Defence (MoD) has admitted to a staggering 49 separate data breaches over the past four years within the unit responsible for handling relocation applications from Afghans seeking safety in Britain. This revelation, uncovered through a BBC Freedom of Information request and corroborated by investigations from Khaama Press and LBC, has sparked intense criticism from lawyers, campaigners, and data protection experts, who warn that repeated failures have endangered the lives of vulnerable Afghans who aided British forces during the long conflict in Afghanistan.
Four of these breaches were previously known to the public, but the true scale of the problem only became clear last month after the High Court lifted a nearly two-year-long superinjunction that had kept details of the most catastrophic incident under wraps. In that 2022 breach, a spreadsheet containing the names, contact details, and sensitive information of almost 19,000 Afghans fleeing Taliban persecution was accidentally sent to trusted Afghan contacts by a soldier at Regent’s Park barracks. Unbeknownst to the sender, hidden data in the spreadsheet exposed far more people than intended. Judges later noted that between 80,000 and 100,000 individuals, including family members of those applicants, could face harassment, torture, or even death if the Taliban accessed this information.
For months, the government argued that secrecy was necessary to protect lives, securing a rare and “constitutionally unprecedented” superinjunction that not only barred publication of the story but even prevented acknowledgment that an injunction existed. According to LBC, hearings were held in secret, with media lawyers excluded from “closed sessions.” The superinjunction was finally lifted in July 2025, allowing the public to learn the full extent of what the MoD itself described as a “catastrophic breach.”
The Afghan Relocations and Assistance Policy (ARAP), launched in April 2021 and closed in July 2025, was meant to provide sanctuary in the UK for Afghans who supported British military operations. Yet, the programme has been repeatedly criticized for poor data security. In September 2021, for instance, more than 250 Afghans were mistakenly copied into a single email, exposing 265 addresses—an error that resulted in a £350,000 fine from the Information Commissioner’s Office (ICO). These incidents were, as one defence source told the BBC, “intensely difficult and embarrassing for the government handling publicly.” Then-Defence Secretary Ben Wallace did not mince words, telling MPs: “I am very keen that it is not just the poor person who drafts the email who is held to account, but the chain upwards, to ensure that this does not happen again.”
Despite promises of reform, the breaches continued. In November 2021, the Conservative government announced “significant remedial actions,” including new data handling procedures, staff training, and a “two pairs of eyes rule” requiring a second staff member to review any external email to ARAP applicants. The government said these measures would “prevent such incidents occurring again.” Yet, as the BBC and Khaama Press report, at least 49 breaches have now been recorded, with seven deemed so serious that officials had to notify the ICO. Three of those—one in 2021 and two in 2022—had never been disclosed to the public before this summer.
The Information Commissioner’s Office, for its part, described the 2022 spreadsheet leak as a “one-off occurrence following a failure to [follow] usual checks, rather than reflecting a wider culture of non-compliance.” However, lawyers representing Afghan applicants argue that the mounting number of incidents tells a different story. Adnan Malik, head of data protection at Barings Law, which represents hundreds of Afghans affected by the 2022 breach, told the BBC: “What began as an isolated incident, which the Ministry of Defence initially sought to keep from public view, has now escalated into a series of catastrophic failings. We urge the Ministry of Defence to be fully transparent with both those affected and the wider public. Victims should not be forced to learn the truth through legal action or news reports.”
Jon Baines, a senior data protection specialist at Mishcon de Reya, echoed these concerns, telling the BBC that the figures show a “remarkable number of data security incidents in relation to the ARAP scheme.” He added, “It is difficult to think of any information more sensitive than that which is involved with the scheme, and it baffles me why there were not better security measures in place.”
Seven of the 49 breaches were serious enough to require notification to the ICO, but the regulator has not taken action over the large spreadsheet breach, citing resource constraints and prioritization. “We continue to engage with the MoD, so we can be assured that they have made the required improvements,” a spokesperson said. Still, Baines questions whether the ICO should have conducted more in-depth investigations and warns that “there is now an urgent need for more investigation. What assurance can we all have now that the MoD are properly protecting the highly sensitive personal data it is often entrusted with?”
The political fallout has been swift. A Labour government source laid blame on previous Conservative administrations for inadequate data protection, noting that since Labour took power in July 2024, “we’ve brought in a host of new measures to improve data security and we’ve made public the largest Afghan data breach which occurred under the previous government, to allow for parliamentary scrutiny and accountability.” The source emphasized that new software and oversight procedures have been introduced in an effort to restore public trust.
Conservatives, meanwhile, have acknowledged the gravity of the situation. A party spokesperson said: “This data leak should never have happened and was an unacceptable breach of data protection protocols. The secretary of state for defence has issued an apology on behalf of the government, and Conservatives joined in that apology. When this breach came to light, the immediate priority of the then-government was to protect persons in the dataset.”
The MoD itself maintains that it “takes data security extremely seriously and is committed to ensuring that any incidents are dealt with properly, and that we follow our legal duties. All incidents that meet the threshold under UK data protection laws are referred to the Information Commissioner’s Office, and any lesser incidents are examined internally to ensure lessons are learned.”
For many Afghans who risked everything to help British forces, however, these assurances may ring hollow. The accidental exposure of their identities and personal details has left thousands fearing the prospect of Taliban retribution. According to LBC, at least 6,900 people have now been brought to the UK as a result of the breach, but many more remain in limbo, unsure if their safety can ever be guaranteed.
The government is now under growing pressure to overhaul its data protection practices, strengthen oversight, and ensure that such life-threatening errors are never repeated. As scrutiny intensifies, one thing is clear: the cost of bureaucratic failure can be measured not only in fines or headlines, but in human lives.
