A devastating Ministry of Defence (MoD) data breach that exposed the details of thousands of Afghans seeking sanctuary in the UK – potentially putting up to 100,000 lives at risk – could happen again, MPs have warned.
A cross-party group of MPs that scrutinises government spending published a damning report on Friday into the MoD’s response to the breach.
The public accounts committee (PAC) found the department failed to learn from multiple data breaches over successive years and there were inadequate systems and controls in place at the MoD to manage personal data.
The February 2022 breach occurred when a spreadsheet containing 33,000 lines of data was emailed to someone outside government. It was only discovered in August 2023, when parts of the database appeared in a Facebook group. This prompted the government to use an unprecedented superinjunction to halt reporting and triggered a huge secret evacuation programme.
For nearly two years, media organisations, including The Independent, sought to scrutinise the MoD’s actions in secret court hearings. The PAC report reveals that the MoD failed to tell the National Audit Office (NAO) about what had happened, despite pledging billions of pounds of taxpayers money to the secret evacuation scheme behind closed doors.
One audit director at the NAO was told by the MoD that there was a secret matter relating to a data breach that could not be shared, the report said. They were not told any detail of the operational consequences, number of people affected, or likely cost. The director was also told they could not pass on this information to anyone else within the spending watchdog.
At one point in October 2024, ministers signed off on a £7bn scheme to move around 36,000 people to the UK, a significant majority of whom were affected by the data breach.
On the failures that led to the data breach, Sir Geoffrey Clifton-Brown MP, chair of PAC, said: “The MoD knew what it was doing – it knew the risks of using inadequate systems to handle sensitive personal information as the security environment in Afghanistan deteriorated.”
He continued: “We lack confidence in the MoD’s current ability to prevent such an incident happening again.”
Sir Geoffrey said: “The frankly chaotic decision to tell a single director within the NAO that there was a secret matter that could not be shared, without informing the leadership of the NAO itself, is emblematic of the quality of the MoD’s decision making.
“The MoD’s outgoing permanent secretary told our inquiry that this period of secrecy in how taxpayers’ money was being spent had been ‘deeply uncomfortable’ for him. That is just as it should be, and we are glad to hear it – but as a consequence of elected representatives being prevented from holding government to account, it is not nearly sufficient, and he should never have been put in such a position by his minister.”
An independent caseworker who was the first to alert the government to the data loss in 2023 said the committee’s report was “excoriating”.
“It shows that there has been an ongoing and continuing priority given to limiting the MoD’s accountability when it comes to the 2022 data breach. Thousands of people are still in danger in Afghanistan and yet the evacuation pathway is currently at a standstill,” they said.
“The MoD is stating that they are experiencing significant challenges to resettlement, meaning that Afghans who put their lives on the line for the UK are facing a fifth year living in hiding, waiting to see if the UK will eventually honour our promise to move heaven and earth to get them out.
“It is clear the committee is concerned that further breaches may occur – a concern I share as lessons do not seem to have been learned.”
Afghan security forces are still being hunted down, tortured and executed by the Taliban, with more than 100 former Afghan forces killed in the country since 2023, recent research from Lighthouse Reports and The Independent found.
An MoD spokesperson said: “The data incident under the previous government in 2022 should never have happened and while the committee acknowledges that practices have improved, we are continuing to make changes and improvements in data handling across the department, such as introducing a dedicated, secure casework system for Afghan resettlement.
“This government lifted the superinjunction in July so that the public and parliament could rightly scrutinise this.”
The spokesperson claimed that the “overall financial cost has never been concealed”, saying that the government published the cost of all Afghan resettlement schemes in its 2024 spending audit.
MPs highlighted that the MoD could not accurately identify or account for the costs of resettling thousands of Afghans as a result of the breach. Though the department has said that the total cost was around £850m, the NAO said that it did not have confidence in the accuracy or completeness of that estimate.
The committee have asked the MoD to provide updates on how many people have arrived in the UK as a result of the breach, and to confirm that a new caseworking system put in place to handle Afghan applications would prevent a recurrence of the February 2022 breach.
An estimated 27,278 people affected by the data breach could be resettled in the UK, the MoD believes. However, only 3,383 people are recorded as arriving in the UK under the scheme for those impacted by the leak, the report said.
The MoD predicts it will take some years before everyone who is eligible to come the UK has been brought to safety, the PAC report said.
The lack of oversight over the MoD’s response to the Afghan data breach has prompted people at the “highest level within government” to propose a parliamentary oversight committee that would look at more sensitive aspects of defence work, such as maintaining the nuclear deterrent. MPs said this proposal was “moving far too slowly”.
