Ministry of Defence Unveils Reforms Following Catastrophic Afghan Data Breaches

DOWNLOAD IPFS

The United Kingdom’s (UK) Ministry of Defence (MoD) has announced sweeping reforms following two serious data breaches that exposed the personal information of thousands of Afghan nationals who supported British forces. The incidents triggered intense scrutiny and led to a complete overhaul of the department’s data handling procedures and internal oversight.

The first breach occurred in September 2021, when the MoD’s Afghan Relocations and Assistance Policy (ARAP) team mistakenly sent emails that included the full addresses of 265 recipients, 245 of whom were Afghan nationals seeking asylum in the UK. In one instance, a reply-all response disclosed an individual’s location, making 55 profiles viewable to all recipients. Given the Taliban’s ongoing threats against those who aided British military operations, the breach placed many lives at serious risk.

A second, more damaging breach took place in early 2022, when a spreadsheet containing personal data of nearly 19,000 Afghan applicants was accidentally distributed and later found on social media in mid-2023. The Ministry of Defence responded with a rarely used “super-injunction” that prohibited public discussion of the breach until the court order was lifted nearly two years later.

Following these revelations, the Information Commissioner’s Office (ICO) imposed a £350,000 fine on the Ministry of Defence, citing significant failures in protecting personal data under the UK General Data Protection Regulation (UK GDPR). The fine had initially been proposed at £1 million but was reduced due to the MoD’s cooperation and early efforts at remediation.

Defence Secretary John Healey issued a formal apology in Parliament, calling the incidents “deeply regrettable” and offered an assurance that affected individuals would be notified and supported. The MoD directed recipients to delete exposed emails, update contact details securely, and submit new information through a protected online portal.

Key reforms now implemented by the MoD include a mandatory “second pair of eyes” process for group emails, stricter IT controls, enhanced data protection training, and the appointment of a Chief Information Officer tasked with improving departmental data governance. A full review of digital communication practices is also underway.

Additionally, the Afghanistan Response Route (ARR), a secretive emergency resettlement scheme, was launched in April 2024. Through this programme, over 16,000 people were relocated to the UK, at a cost of nearly £850 million. However, the scheme was closed in early 2025 following criticism over its cost and secrecy.

Over 665 compensation claims have been filed, and legal experts argue that the Ministry of Defence may face substantial civil liability. Calls for a public inquiry continue to mount amid concerns over transparency, data security, and institutional accountability.