A serious data breach at the UK’s Ministry of Defence, revealed for the first time today after the lifting of a superinjunction preventing the media from discussing the case, put at risk the personal data, and lives of thousands of Afghan citizens seeking relocation to the UK to protect them from Taliban reprisals after the group regained control of the country in 2021, two decades after they were ousted following the 9/11 terrorist attacks.
The cyber incident arose in early 2022 when a dataset containing details of over 18,000 people applying for asylum under the Afghan Relocations and Assistance Policy (Arap) and the Afghanistan Locally Employed Staff Ex-Gratia Scheme (EGS) on the basis they had worked with or for the UK during the Western occupation of the country, was released in error.
It has now emerged that about 18 months later, the MoD discovered that part of this dataset relating to nine individuals had been published on social media platform Facebook.
Fearing the consequences if this data was to fall into the hands of the Taliban, a superinjunction was granted in September 2023 against multiple outlets including The Daily Mail, The Daily Telegraph, The Financial Times, The Independent, the Press Association and The Times, stopping them from reporting details of the incident.
The lifting of the superinjunction comes following a review report prepared by former civil servant Paul Rimmer. This report concluded that should the dataset fall into the hands of the Taliban it would be “unlikely to substantially change an individual’s existing exposure” based on the volume of data already in the public domain.
Rimmer’s report also deemed it “unlikely” that the fact of an individual’s inclusion in the dataset would be grounds for the targeting of said individuals’ or their associates or families by the Taliban.
Besides the superinjunction, the incident also led to the establishment of a secret Afghan resettlement route – dubbed the Afghanistan Response Route (ARR), to fast-track the resettlement of a total of about 200 principal applicants, later broadened to 3,000.
This route is, as of today, closed, having relocated about 900 principal applicants and 3,600 family members at a cost of £400m, although the government confirmed that ARR offers made to about 600 more principals and their families who remain in Afghanistan will be honoured if taken up. It is likely that the final cost of the ARR will double.
In an oral statement to the House of Commons, defence secretary Ben Healey said: “It [the database] contained names and contact details of applicants – and some instances, information relating to the applicants’ family members. In a small number of cases … the names of members of Parliament, senior military officers and government officials were noted as supporting the application.
“This was a serious departmental error. It was in clear breach of strict data protection protocols. And it was one of many data losses relating to the ARAP scheme during this period,” said the minister.
Healey told the Commons that swift action was taken to remove the exposed data from Facebook, an internal investigation was mounted, and reports were made to the Information Commissioner’s Office (ICO) and the Metropolitan Police, which determined no criminal investigation was necessary.
“This serious data incident should never have happened,” said Healey. “It may have occurred three years ago under the previous government, but to all those whose information was compromised, I offer a sincere apology today on behalf of the British government.”
The government has established a dedicated microsite related to the incident, where those who may have been exposed can check if they were affected, and access guidance on preserving their own personal cyber security.
“Human error remains a major cyber risk which, as has been highlighted by a single misjudged email that exposed thousands of personal details,” said ESET global cyber security advisor Jake Moore.
“While people aren’t always behind data breaches, they are often the cause of data loss or cyber attacks, which only reinforces the need for stronger technical safeguards and user training.
“The addition of enhanced secrecy inside the organisation may have also exacerbated the problem, but the lack of proper protocols ultimately reveals a fundamental weakness in the system’s defences,” said Moore. “Even a basic human mistake can undermine even the most sensitive national security operations.”
History of exposures
The latest breach to be disclosed is not the first that has affected the ARAP programme, although it is the most serious by a significant margin.
In September 2021, the MoD was forced to reveal that approximately 305 individuals had had their data exposed in two separate incidents.
In the first breach, an internal error at the MoD saw the email addresses and names of 250 Afghan interpreters awaiting relocation copied into the body of an email. Many of the recipients – mostly interpreters who had worked with British forces during the occupation of their homeland – compounded the error by hitting the ‘reply all’ function, potentially exposing details of their locations and cases.
In the second incident, which was disclosed just two days later, saw the email addresses and names of 55 individuals, exposed in a similar blunder.
In December 2023, the Information Commissioner’s Office (ICO) took the step of fining the MoD £350,000 – out of step with its usual policy of not fining public sector or government bodies – given the risk to life that the incident posed.
The ICO’s investigation found that Arap was operating contrary to ICO guidance which states organisations must put technical measures in place to avoid accidental bulk email disclosure.
It had failed to implement any such measures and was relying instead on staff members remembering to use the Blind Carbon Copy (BCC) function, which is not an adequate protective measure.
