In a saga that has rocked the corridors of Whitehall and sent shockwaves through Afghan communities, the UK Ministry of Defence (MoD) has admitted to 49 separate data breaches over the past four years involving the highly sensitive Afghan relocation scheme. The revelations, confirmed as of August 21, 2025, have exposed the personal details of thousands of Afghan nationals who applied for sanctuary in Britain after working with UK forces—a disclosure that has raised urgent questions about government accountability, data protection, and the safety of those left behind.
The breaches occurred within the unit responsible for processing claims from Afghans seeking refuge in the UK under the Afghan Relocations and Assistance Policy (ARAP). Established in April 2021, ARAP was designed to help at-risk Afghans—particularly those with close ties to the British military—escape Taliban reprisals following the West’s withdrawal from Afghanistan. The scheme was closed in July this year, but not before being dogged by persistent complaints about poor data security and a series of operational missteps that, critics say, put lives in jeopardy.
According to the BBC, four of the 49 breaches had previously been acknowledged publicly, including a massive 2022 leak involving a spreadsheet with the personal details of nearly 19,000 people fleeing the Taliban. This catastrophic error—caused by a soldier at Regent’s Park barracks who inadvertently sent a spreadsheet containing hidden data to trusted Afghan contacts—was only brought to light after a High Court gagging order was lifted in July 2025. For almost two years, the scale of the breach and the government’s response remained concealed from public scrutiny.
“What began as an isolated incident, which the Ministry of Defence initially sought to keep from public view, has now escalated into a series of catastrophic failings,” said Adnan Malik, Head of Data Protection at Barings Law, which represents hundreds of Afghans affected by the 2022 breach, in comments to the BBC. “We urge the Ministry of Defence to be fully transparent with both those affected and the wider public. Victims should not be forced to learn the truth through legal action or news reports.”
The fallout from the 2022 leak was immediate and severe. The government launched a secret programme to bring thousands of Afghans to safety, with more than 6,000 ultimately resettled in the UK. Yet, the damage had been done. Defence Secretary Grant Shapps publicly apologized for the disclosures, acknowledging that the leaks placed Afghan allies at risk of Taliban reprisals. “This data leak should never have happened and was an unacceptable breach of data protection protocols,” a Conservative Party spokesman told the BBC. “The secretary of state for defence has issued an apology on behalf of the government, and Conservatives joined in that apology.”
The Information Commissioner’s Office (ICO), the UK’s data protection watchdog, initially described the 2022 incident as a “one-off occurrence following a failure to [follow] usual checks, rather than reflecting a wider culture of non-compliance.” However, the new figures—released to the BBC under the Freedom of Information Act—have raised serious doubts about the adequacy of that assessment. Seven of the 49 breaches were classified as serious and referred to the ICO, including three that had not previously been made public. The ICO has stated that it continues to engage with the MoD to ensure improvements are made, but has not taken direct action over the large spreadsheet breach, arguing that “there was little we could add in this case that would justify the further allocation of resource away from other priorities.”
The breaches were not limited to spreadsheets or hidden data. In September 2021, more than 250 Afghans seeking relocation were mistakenly copied into an MoD email, exposing their identities and putting them at risk of Taliban reprisals. That incident, which led to a £350,000 fine from the ICO, prompted the government to introduce “significant remedial actions,” including new data handling procedures and a “two pairs of eyes rule” requiring any external email to be reviewed by a second staff member before being sent. Despite these measures, breaches continued—culminating in the 2022 leak that would become the most consequential of all.
The situation was further complicated by reports from The Telegraph that some former Taliban fighters were evacuated to Britain on humanitarian flights, including individuals with records of sexual offences, corruption, and imprisonment. Sources alleged that corrupt Afghan officials had helped place Taliban fighters on evacuation lists, raising concerns about the integrity of the vetting process and the potential danger to genuine allies of the UK.
For many Afghans left behind, the consequences have been devastating. Since the February 2022 leaks, more than 200 former Afghan soldiers and police officers have been identified and killed by the Taliban, according to a Daily Telegraph investigation. Lawyers representing affected Afghans have accused the MoD of widespread negligence, arguing that a lax security culture prevailed even after repeated warnings and high-profile mistakes.
“It is difficult to think of any information more sensitive than that which is involved with the scheme, and it baffles me why there were not better security measures in place,” said Jon Baines, a senior data protection specialist at Mishcon de Reya, in comments reported by the BBC. “There are serious questions firstly as to whether the ICO should have conducted more in-depth investigations previously, and secondly, whether there is now an urgent need for more investigation. What assurance can we all have now that the MoD are properly protecting the highly sensitive personal data it is often entrusted with?”
The political fallout has been fierce and unrelenting. Prime Minister Keir Starmer has called for former Conservative ministers to answer questions over the breaches, while Labour sources have blamed previous administrations for inadequate data protection measures. “Current ministers repeatedly highlighted the Tory mismanagement of data around the ARAP scheme while in opposition,” a Labour government source told the BBC. “Since last July, we've brought in a host of new measures to improve data security and we've made public the largest Afghan data breach which occurred under the previous government, to allow for parliamentary scrutiny and accountability.”
The MoD maintains that it takes data security extremely seriously and is committed to ensuring all incidents are dealt with properly. “All incidents that meet the threshold under UK data protection laws are referred to the Information Commissioner's Office, and any lesser incidents are examined internally to ensure lessons are learned,” an MoD spokesperson said. The ministry has also stated that new software and additional safeguards have been introduced since Labour took office in July 2024.
Yet, for Afghan families whose lives have been upended by both war and bureaucratic error, assurances may offer little comfort. As the UK grapples with the consequences of these breaches, the story serves as a stark reminder of the profound responsibilities that come with managing the data—and destinies—of those who risked everything to stand alongside British forces.
