Of the 49 breaches, four were publicly known, including the massive 2022 leak of a spreadsheet containing the personal details of almost 19,000 people fleeing the Taliban…reports Asian Lite News
The Ministry of Defence (MoD) has admitted to 49 separate data breaches linked to Afghan relocation cases over the past four years, raising fresh questions about the government’s handling of one of its most sensitive post-war responsibilities.
The breaches, all within the unit responsible for processing relocation claims from Afghans seeking refuge in the UK, were disclosed following a Freedom of Information (FOI) request made by the BBC. Until now, only four of the incidents had been publicly known, including a massive 2022 leak which exposed the personal details of nearly 19,000 people fleeing Taliban rule.
That particular leak, described at the time as an isolated error, has since been revealed to be part of a wider pattern of failures. The revelation is likely to intensify concerns about a “lax security culture” within the Afghan resettlement scheme, according to lawyers representing hundreds of affected families.
While the MoD has not provided full details of each incident, the figure of 49 represents a far greater scale of risk than previously acknowledged.
The 2022 breach alone was catastrophic in scale. A soldier based at Regent’s Park Barracks mistakenly shared a spreadsheet which he believed contained a small set of names with trusted Afghan contacts. Embedded within the document, however, were the names, personal information and family contacts of almost 19,000 Afghans eligible for resettlement.
That disclosure, which had been kept secret for years under a gagging order only lifted last month, forced thousands of Afghans to be secretly relocated to the UK in order to protect them from Taliban retribution.
In 2021, a separate case saw more than 250 Afghans mistakenly copied into a group email, leaving their details visible to all recipients. The error was considered so serious that officials at the time pledged “significant remedial action”, including the introduction of a rule requiring a “second set of eyes” on every external email before being sent.
Despite these measures, however, dozens more breaches have occurred since. When the 2022 leak first became public knowledge, the Information Commissioner’s Office (ICO) downplayed its significance, calling it a “one-off occurrence” caused by a failure to follow routine checks rather than evidence of systemic failings.
But the disclosure of 49 incidents in total has raised questions about the regulator’s assessment. Lawyers say the scale of breaches suggests a deeper, cultural problem within the MoD’s relocation unit.
Adnan Malik, head of data protection at Barings Law, which represents hundreds of Afghans affected by the 2022 leak, said: “What began as an isolated incident, which the Ministry of Defence initially sought to keep from public view, has now escalated into a series of catastrophic failings. We urge the Ministry of Defence to be fully transparent with both those affected and the wider public. Victims should not be forced to learn the truth through legal action or news reports.”
The breaches centre on the Afghan Relocations and Assistance Policy (ARAP), launched in April 2021 following the UK’s withdrawal from Afghanistan. The scheme was designed to provide refuge for Afghans at particular risk because of their close ties to the British presence in the country during the two-decade war against the Taliban.
While it provided a lifeline to many, the programme was beset from the outset by administrative problems and persistent concerns about data security. The scheme formally closed in July this year, but lawyers and campaigners say the legacy of mishandled information continues to haunt those whose personal details may now be in the hands of the Taliban or other hostile actors.
Jon Baines, senior data protection specialist at Mishcon de Reya, said the new disclosures were “remarkable”. “It is difficult to think of any information more sensitive than that which is involved with the ARAP scheme,” he said. “It baffles me why there were not better security measures in place.”
In response to the revelations, the MoD defended its record, insisting that lessons have been learned. A spokesperson said: “We take data security extremely seriously and are committed to ensuring that any incidents are dealt with properly, and that we follow our legal duties.”
The department did not provide further detail about the nature of the other 45 previously undisclosed breaches, nor did it confirm whether those affected have been informed. Campaigners argue that without full transparency, Afghans who risked their lives by working alongside British forces will remain uncertain about the scale of the danger they face.
For many, the breaches represent more than a bureaucratic failure; they strike at the heart of trust between the UK and those who placed themselves in peril to support it. As Malik concluded: “These individuals stood shoulder to shoulder with the British mission in Afghanistan. The very least they deserve is the assurance that their safety has not been compromised by avoidable mistakes.”
