‘A few unrecorded meetings and a handshake’: Damning verdict of probe into major Afghan data breach

The truth of what happened was only revealed after a court battle lasting almost two years, in which national media – including The Independent – challenged an unprecedented superinjunction.

The UK’s data regulator, the Information Commissioner’s Office (ICO), which was responsible for probing the MoD’s response to the leak, chose not to launch a formal investigation into what had gone wrong, a decision that was met with criticism after the breach came to light. The ICO was one of the few official bodies that knew about the leak, while the public and MPs were kept in the dark for nearly two years.

Now it has emerged that the ICO did not take any contemporaneous notes of its decision not to launch an official probe of the catastrophic data loss, claiming officials were unable to record anything due to the classification of the secret information, which one MP claimed was “bandied about like confetti”.

Information Commissioner John Edwards told MPs on the science, innovation and technology on Tuesday that the ICO did not officially investigate but was relying on “honesty” from MoD officials.

He said the ICO had occasional meetings with MoD officials and would “feed in their observations about lines of inquiry”, adding: “I understand that those were received with gratitude”. The ICO decided in June 2024 that the MoD had done enough to ensure the bad data practices wouldn’t happen again.

Tory MP Kit Malthouse said he was surprised that no formal investigation had taken place, given the severity of the breach. He told Mr Edwards: “What you’ve broadly said to us, is that it was dealt with with a few unrecorded meetings and a handshake. See ya, nothing to see here.

“It seems extraordinary to me given the severity and the impact of it... The picture you’ve painted of the way the ICO handled it seems alarming”.

Dr Lauren Sullivan MP added: “It sounds like your method of investigation relies a lot on the honesty of the person you are investigating.”

Mr Edwards responded that there were tools the ICO could use to investigate government departments but that these weren’t necessary in this case because no formal investigation was launched.

He explained: “We didn’t investigate, yes we were relying on honesty. Had we later found we were misled we could have investigated.”

Chair of the science committee, Dame Chi Onwurah MP, said: “When I saw some of the details of the Ministry of Defence data breach, I was astounded that that could be part of government data practice. 33,000 line Excel file, with top secret information, bandied about like confetti. This is not an individual failure ... it was an institutional failing.”

She said she was not comforted by assurances that the MoD is “finally acting” on bad data procedures, saying the failings had taken place under the information commissioner’s watch.

Mr Edwards admitted there were not enough staff at the ICO with developed vetting to handle top secret information, but said it would not have mattered in this case because the regulator had decided not to launch an investigation.

He told MPs: “We are able to investigate top secret matters. We chose not to because it would have tied up resources which would have been better used elsewhere.”

He said that the ICO had carried out a formal investigation into a smaller data loss at the same MoD department, when a mass email was sent to 245 Afghans who had worked with the UK government.

Mr Edwards said that when the major Afghan data leak was reported to the ICO “we were confident that the ministry was taking it seriously”.