For over three years, a single mistaken email has quietly reshaped the lives of thousands of Afghans and stirred deep controversy within the British government. The accidental leak of sensitive data belonging to nearly 19,000 Afghan nationals who sought refuge in the UK has only just come to light after being shrouded in secrecy behind a rare and powerful legal order known as a super-injunction.
It all began in February 2022, when an unnamed British soldier working at the UK Special Forces headquarters was tasked with verifying applications for the Afghan Relocations and Assistance Policy (ARAP). This scheme was designed to resettle Afghans who had aided British forces during the two-decade conflict in Afghanistan. The soldier, believing he was sending a small set of around 150 names, mistakenly forwarded a spreadsheet containing detailed personal information on 18,714 applicants—information that included names, contact details, and family data, affecting roughly 33,000 individuals when extended to relatives.
The Ministry of Defence (MoD) remained unaware of the leak for over a year, until August 14, 2023, when parts of the data surfaced on Facebook. The leak was first spotted by an activist assisting Afghan applicants, who warned the MoD that “The Taliban may now have a 33,000-long kill list – essentially provided to them by the British government.” This chilling message underscored the gravity of the situation and the potential danger to those named and their families.
In response, the MoD swiftly asked Facebook to remove the leaked information and sent warnings via WhatsApp to approximately 1,800 ARAP applicants residing in Pakistan. However, the damage had already set in motion a complex chain of events.
To prevent the leak from becoming public knowledge and to protect those at risk, the government sought and obtained an unprecedented super-injunction on September 1, 2023. This legal order not only barred the media from reporting on the breach but prohibited even acknowledging the existence of the injunction itself. The rationale was stark: the risk to the lives of many individuals and their families was deemed “grave” by the courts.
Behind the scenes, the government quietly established a secret resettlement program called the Afghanistan Response Route (ARR) in April 2024. This initiative aimed to evacuate individuals from the leaked dataset who were not eligible under ARAP but were judged to be at the highest risk of Taliban reprisals. By July 2025, around 900 principal applicants and 3,600 family members had been flown to the UK under ARR, with hundreds more invitations extended. Altogether, nearly 7,000 people were relocated through this covert scheme.
Yet, the story of the leak and the secret relocation effort remained hidden from public scrutiny for years. Even key parliamentary bodies, like the Intelligence and Security Committee (ISC), were kept in the dark, sparking fury among its members. Lord Beamish, the ISC chairman, condemned the government’s decision to withhold information, calling the cover-up “appalling” and unprecedented in his experience. The ISC has now formally demanded access to all related intelligence assessments and documents, vowing to investigate the government’s handling of the breach.
The timeline of this saga reveals a series of critical moments. After the leak was discovered in August 2023, Defence Secretary Ben Wallace applied for the court injunction. Successive legal battles ensued, with High Court judges repeatedly reviewing the super-injunction’s necessity amid concerns about freedom of speech and public interest. While a judge in May 2024 ruled the injunction should be lifted, the government appealed, and the Court of Appeal sided with safety concerns, extending the gag order.
Following a change in government after the July 2024 general election, Labour’s Defence Secretary John Healey was briefed on the situation only months later. Early in 2025, Healey commissioned an independent review by retired civil servant Paul Rimmer to assess the risks posed by the leaked data. Rimmer’s report, submitted in June 2025, found “little evidence of intent by the Taliban to conduct a campaign of retribution” specifically triggered by the leak. He noted that the Taliban already possessed extensive information about Afghans, so the leaked spreadsheet alone was “highly unlikely” to be the sole or definitive reason for targeting individuals.
Based on this assessment, the High Court lifted the super-injunction on July 15, 2025, allowing the press to report on the breach and the government’s secret response. However, a new, more limited court order remains in place to prevent the release of particularly sensitive details, citing ongoing confidentiality and national security concerns.
The financial cost of the breach and subsequent relocation efforts has been staggering. Official figures suggest the secret ARR program alone has cost around £400 million to relocate 900 Afghans and their families, with total UK spending on Afghan resettlement since 2021 estimated between £5.5 billion and £6 billion. Earlier internal documents had projected costs up to £7 billion, but these were revised downward as the scope of the secret scheme was curtailed.
Legal repercussions are also unfolding. A Manchester-based law firm, Barings Law, is preparing a joint action on behalf of about 1,000 Afghans named in the leaked dataset, seeking at least £50,000 each in damages. Adnan Malik, head of data protection at Barings Law, described the breach as “incredibly serious” and criticised the MoD for attempting to hide it from the public. He stressed that many claimants “continue to live with the fear of reprisal against them and their families.”
Throughout this ordeal, questions have mounted about who knew what, and when. The soldier responsible for the initial email remains unnamed and was not dismissed, while senior officials, including former Defence Secretary Ben Wallace and Armed Forces Minister James Heappey, have publicly acknowledged responsibility and expressed regret. However, former Prime Minister Rishi Sunak and other top officials have yet to make statements. The ISC’s demand for documents and potential inquiry may finally bring greater accountability.
For the Afghans affected, the breach has been a source of profound anxiety and upheaval. While thousands have been relocated to safety, tens of thousands remain in Afghanistan, facing uncertain futures. The MoD advises those named in the leak to exercise caution, limit their digital footprints, and use protective measures like VPNs.
As the story unfolds in public view for the first time, it reveals a tangled web of bureaucratic error, legal battles, secretive government action, and human cost. The Afghan data breach stands as a stark reminder of the risks inherent in handling sensitive information during times of crisis, and the heavy responsibilities governments bear in protecting those who have served alongside them.
