Catastrophic MoD data breach that put up to 100,000 lives at risk finally revealed as superinjunction lifted

The blunder triggered a top secret government operation, codenamed Operation Rubific, which involved 16,000 Afghans being brought to the UK as part of Britain’s largest covert peacetime evacuation, with some 8,000 still to come.

The whole operation was kept secret from MPs and the public, with ministers even deciding to hide the true reason for the evacuation from parliament.

Read more about the government’s extraordinary breach and how it was kept secret here:

• Live – Judge demands answers over MoD gagging order
• Inside the secret scramble to save lives after MoD data breach
• My court fight to expose government’s failings
• The draconian court order used to keep information secret

The extraordinary case can only now be revealed after a court battle lasting almost two years, in which national media – including The Independent – fought for the lifting of the superinjunction, a court order so strict that even mentioning its existence was forbidden.

Lifting the superinjunction on Tuesday, High Court judge Mr Justice Chamberlain called for further investigation after an official review into the data leak “fundamentally undermined the evidential basis” on which the superinjunction had been based.

As the catastrophic breach is finally made public, it can be revealed that:

• The government was prepared to evacuate more than 42,000 people affected by the data leak at an estimated cost of £7bn
• At least 17 people mentioned in the dataset are believed to have been killed by the Taliban, 14 of these after the leak occurred
• The official review of the leak, commissioned in January 2025, warned that the government may have made the dataset more appealing to the Taliban by creating the special evacuation scheme and hitting the media with a superinjunction
• The MoD is facing a compensation claim from more than 650 Afghans who believe they were affected by the breach, which could cost hundreds of millions of pounds

After the superinjunction was lifted, defence secretary John Healey offered a “sincere apology on behalf of the British government” for the data breach. Addressing MPs in the Commons, he said he had felt “deeply concerned about the lack of transparency” that resulted from the order.

Yet hours before the superinjunction was set to be lifted, journalists were hit with a new injunction preventing the exact details of what was on the spreadsheet from being shared, with the government arguing that it should be implemented on grounds of confidentiality and national security.

The highly confidential database contained information from applications to the MoD’s resettlement scheme, called Arap, which was set up in the wake of the disastrous withdrawal from Kabul as a way to manage the relocation of Afghans who had worked with British forces.

Some 18,714 applicants, as well as their family members, were named in the database, which was shared by a member of the armed forces who was trying to verify cases. Mr Healey said the serviceman believed the list contained just 150 names, but he admitted that the leak “should never have happened”.

The majority of these applicants had already been found ineligible for relocation to the UK, and most were still in Afghanistan. The list also included names of British government officials.

One independent caseworker who raised concerns to the MoD described the incident as “simply bone-chilling”, and warned officials that the document amounted to a “kill list” of vulnerable Afghans.

After the breach was discovered by the MoD in August 2023, the High Court put in place a superinjunction, a court order meaning that the breach could not be reported. It was granted “contra mundum”, meaning it applied to everyone – and was believed to be the first ever order of its kind, according to the judge, Mr Justice Chamberlain.

It means the government has faced no scrutiny over the breach or the subsequent operations, from either parliament or the public, since the order was imposed.

In total, 23,900 Afghans linked to the breach have been offered relocation to the UK, with more than 16,000 already relocated. The MoD says 6,900 of these are people who would not otherwise have been brought to Britain.

In order to explain the need for a new resettlement scheme without alerting the Taliban to the leak, Mr Healey told MPs in a written statement that the change would “deliver greater efficiency”. Officials said the plan would “provide cover” for the thousands arriving in the UK, and would explain to councils why Afghan families needed to be housed in their areas.

In January 2025, the former deputy head of defence intelligence Paul Rimmer was commissioned to review the government’s approach, leading to a report that would blow holes in its legal case and ultimately lead to the lifting of the superinjunction.

It would conclude that as the Taliban already had access to “significant volumes of data” by which it could identify targets, the leaked dataset would constitute only a “piece of the puzzle” rather than a “smoking gun”.

It also found that the superinjunction may have made matters worse by making the dataset appear more useful to the Taliban than it actually was.

The report would lead the defence secretary to recommend the lifting of the injunction, and the judge to question the defence intelligence assessments that had previously underpinned the MoD’s case.

On Tuesday, Mr Justice Chamberlain, who has heard the case for over 18 months, read out his summary judgment, dismissing the superinjunction.

Noting that the granting of a superinjunction had given rise to serious concerns about freedom of speech, he said it had “had the effect of completely shutting down the ordinary mechanisms of accountability which operate in a democracy”.

In an urgent statement to the Commons after the injunction was lifted, Mr Healey admitted he had felt “uncomfortable” with the superinjunction and added that “in some ways it was unconscionable”.

He said: “No government wishes to withhold information from the British public, from parliamentarians or the press in this manner.”

However, he agreed with the last Tory government that “difficult decisions needed to be made” as he apologised for the blunder.

MPs on the influential defence select committee will now investigate the incident, with chair Tanmanjeet Singh Dhesi MP describing the episode as “a mess” that needs to be thoroughly examined because of the “serious ramifications”.

Campaigners and politicians have also asked questions about how the leak happened and how the government reacted to it.

In an intervention in parliament during Mr Healey’s statement, Tory MP Mark Pritchard condemned the decision to impose a superinjunction, which ensured there would be no scrutiny of the incident for two years. He warned that the argument for a superinjunction was “very thin, because even the MoD admits that Taliban-aligned individuals already had access to the database”.

Former Tory leader Sir Iain Duncan Smith added: “I am concerned that the super injunction was applied, as that is peculiar: it stopped any free speech or examination in parliament, and we are still none the wiser as to who was responsible or why it happened.”

Dr Sara de Jong, co-founder of the Sulha Alliance, a charity that helps Afghans who supported the British, said: “It is incredibly concerning that the MoD routinely asks Afghans threatened by the Taliban for the most sensitive of personal data, yet can’t be trusted with data protection.

“These Afghans protected us, and they deserved our protection in return.”

The Information Commissioner’s Office, the UK’s data watchdog, said breach was a “deeply regrettable incident that placed thousands of vulnerable people at risk” and that it “should never happen again”, but added that “no further regulatory action is required at this time”.

Former defence secretary Ben Wallace, who was in post at the time of the data breach, declined to comment, noting that the superinjunction was put in place after he had left the MoD.

A source close to his successor Grant Shapps noted that the data breach had happened before Mr Shapps was in post, and said that his job when he joined the department was “to sort out the mess and save lives”.