Nearly fifty more Afghan data breaches revealed after MoD blunder puts thousands at risk

Last month, LBC exclusively revealed how a leaked Ministry of Defence (MoD) list exposed the details of thousands of Afghans who had applied for asylum under the Afghan Relocations and Assistance Policy (ARAP) — a scheme that offers sanctuary in the UK to Afghans who supported British military operations during the conflict.

The government spent nearly two years using an unprecedented superinjunction to prevent the public from learning about the catastrophic breach.

Now, the Ministry of Defence has been forced to admit that there have been at least 49 data breaches at the same unit over the last four years following freedom of information requests sent by the BBC.

Four out of the 49 breaches were already known to the public. Details of the nature of the other breaches have not been disclosed.

Seven of the 49 data breaches were deemed serious enough to require MoD officials to inform the data watchdog, the Information Commissioner's Office (ICO).

Read more: Iran 'hunting down British spies' on 'kill list' leaked to Taliban in MoD data breach

Read more: Up to 3,700 Afghans, troops and civil servants may be victims of another data breach

That includes three breaches - one in 2021, and two in 2022 – that have never been publicly disclosed before.

The ICO said the amount of information it still held on those breaches was limited and that work with MoD was "ongoing".

"We continue to engage with the MoD, so we can be assured that they have made the required improvements," a spokeswoman said.

The MoD has been urged to release further information about the breaches, so victims do not learn of them through legal action or news reports.

In 2021, officials accidentally revealed the email addresses or other personal details of hundreds of Afghans hoping to relocate to Britain.

The breaches caused a major headache for the government and the MoD, and they vowed that nothing like this would ever happen again.

But in 2022, a potentially disastrous leak saw a soldier at Regent's Park barracks send a spreadsheet with what they thought was a small number of applicants' names to trusted Afghan contacts.

They failed to realise the spreadsheet had details of almost 19,000 people fleeing the Taliban.

The leak exposed by LBC revealed that 80,000 and 100,000 people, including family members of the ARAP applicants, were affected by the breach and could be at risk of harassment, torture or death if the Taliban obtained their data, judges said in June 2024.

The News Agents’ and LBC presenter Lewis Goodall was barred from reporting it and initially forbidden from even informing his editor. Court hearings were held in secret, with even media lawyers excluded from "closed sessions."

The MoD sought and was granted a contra mundum superinjunction — a rare legal order that not only barred publication of the story but also prevented anyone from revealing that an injunction even existed. In court, it was described as “constitutionally unprecedented”.

The injunction was originally presented as a short-term emergency measure to protect lives while the government identified and helped those most at risk.

But subsequent hearings revealed that the number of people the MoD planned on assisting was just 200 individuals, plus their dependents - a fraction of those affected. Eventually, though there is some dispute about the figures, at least 6,900 people have now been brought over as a result of the breach.

An MoD spokesperson said: "We take data security extremely seriously and are committed to ensuring that any incidents are dealt with properly, and that we follow our legal duties.

"All incidents that meet the threshold under UK data protection laws are referred to the Information Commissioner's Office, and any lesser incidents are examined internally to ensure lessons are learned."