A data breach which may have put up to 100,000 people at risk of death or serious harm from the Taliban can now be reported more than three years after it took place.
Here the PA news agency looks at the timeline of events in the data breach and how governments responded to it:
– 22 February 2022
A UK Government worker accidentally emails a dataset containing the personal information of nearly 19,000 people who applied for the Afghan Relocations and Assistance Policy (Arap) outside of a secure government system.
He sends the email in an attempt to verify information, believing the dataset to only contain around 150 rows of information. It contains around 33,000.
– 14 August 2023
An anonymous Facebook user posts a small excerpt of the dataset on the social media site.
The Ministry of Defence (MoD) is notified.
Around 1,800 Arap applicants in Pakistan are sent a warning via WhatsApp by UK officials that their data may have been breached.
– 15 August
James Heappey, then armed forces minister, is sent an email warning by a civilian volunteer who assists Arap applicants after they discover the data breach.
The volunteer says: “The Taliban may well now have a 33,000 long kill list – essentially provided to them by the UK government.
“If any of these families are murdered, the government will be liable.”
– 16 August
The incident is reported to the Information Commissioner’s Office, and later to the Metropolitan Police.
– 17 August
A journalist from the Daily Mail contacts the directorate of defence communications, which includes the MoD press office, seeking comment on a story he wished to run about the breach, without disclosing the personal information lost.
The journalist later agrees not to publish until the MoD has a chance to implement “protective measures”.
– 18 August
A representative of Facebook’s parent company Meta says that the post has been removed, after requests from the MoD due to the “risk of physical harm”.
– 22 August
A journalist from The News Agents podcast contacts the Foreign, Commonwealth and Development Office and says he has information about the data incident. This journalist also agrees not to publish until protective measures completed.
– 25 August
Then defence secretary Ben Wallace “personally” makes the decision to apply for a court order.
– 1 September
The MoD asks the High Court for an injunction for approximately four months so that the government “may do everything it reasonably can to help those who might have been put at further risk”.
Judge Mr Justice Robin Knowles grants a superinjunction until a planned hearing on December 1.
The superinjunction, which is made “against the world”, rather than named individuals, is the first of its kind.
– 18 September
Head media judge Mr Justice Nicklin describes the superinjunction as “wholly exceptional” and say it “must be kept under active review by the court”. He brings the planned hearing forward.
– 13 October
The MoD asks for the superinjunction to continue, with the department’s deputy chief operating officer saying in written evidence that the threat to those in the dataset is “grave”.
– 16 November
Cabinet committee, the Domestic and Economic Affairs committee meets.
Notes from the meeting show plans to establish a compensation scheme, at a cost of between £120 million and £350 million not including administration, once the data breach is made public.
– 23 November
Mr Justice Chamberlain gives a private judgment where he says granting a superinjunction to the Government “is likely to give rise to understandable suspicion that the court’s processes are being used for the purposes of censorship”.
He decides to continue the superinjunction “for a period of four weeks”.
– 12 December
John Healey, then shadow defence secretary, is served with the superinjunction and given an initial briefing.
– 18 December
MoD lawyers describe the risk to life as “immensely serious, and extends to thousands of individuals” in written submissions. Mr Justice Chamberlain extends the superinjunction until February.
– 19 December
The Domestic and Economic Affairs committee meets again and says that a new route of settlement in the UK should be offered to some individuals who were ineligible for Arap.
This is agreed to be a targeted cohort of around 200 people and their dependents at the highest risk following the data breach, called the Afghanistan Response Route (ARR).
– 15 February 2024
Mr Justice Chamberlain continues the superinjunction, finding a “real possibility that it is serving to protect” some of those identified on the dataset.
He adds in a second judgment: “What is clear is that the Government has decided to offer help to only a very small proportion of those whose lives have been endangered by the data incident and that the decisions in this regard are being taken without any opportunity for scrutiny through the media or in Parliament.”
– 21 May
Mr Justice Chamberlain rules that the superinjunction should be lifted, but gives the MoD 21 days before the lifting comes into effect.
He says there is a “significant possibility” the Taliban know about the dataset, adding it is “fundamentally objectionable” that decisions about thousands of people’s lives and billions of pounds of taxpayers’ money are being taken in secret.
– 25 June
A two-day hearing behind closed doors starts at the Court of Appeal, as the MoD challenges the decision to end the superinjunction.
– 26 June
At the end of the hearing, Court of Appeal judges announce that the superinjunction will continue.
In a later written ruling, judges Sir Geoffrey Vos, Lord Justice Singh and Lord Justice Warby say: “As the number of family members involved is several times the number of affected people, the total numbers of people who would be exposed to a risk of death or serious harm if the Taliban obtained the data is between 80,000 and 100,000.”
– 4 July
Labour enters Government following the general election.
– 11 November
The High Court is told by a barrister representing multiple media organisations that the government made a “misleading” public statement about applications for assistance from Afghanistan.
Jude Bunting KC adds in written submissions: “It is a matter of concern that the public did not know that the claimant had put over 90,000 lives at risk in the recent general election, by reason of this superinjunction.”
– 3 February 2025
A review of the data incident response says current plans for the Afghanistan Response Route would mean relocating more Afghans under it than had been relocated under Arap, and would extend schemes for another five years at a cost of around £7 billion.
The document, addressed to the Defence Secretary, recommends a review.
– 19 May
The High Court is told by a Manchester-based law firm that it has more than 600 potential clients who may sue the Government under data protection laws.
– 4 July
The Defence Secretary concludes that the Afghanistan Response Route should be closed following an independent review which finds the data breach is “unlikely to profoundly change the existing risk profile” of those named.
The review by retired civil servant Paul Rimmer also said that the government possibly “inadvertently added more value to the dataset” by seeking the unprecedented superinjunction and implementing a bespoke resettlement scheme.
Government lawyers tell the High Court that in light of the decision to close the Afghanistan Response Route, the superinjunction “should no longer continue”.
– 15 July
Mr Justice Chamberlain lifts the superinjunction.
Mr Healey offered a “sincere apology”, telling the Commons: “This serious data incident should never have happened.
“It may have occurred three years ago under the previous government, but to all those whose information was compromised, I offer a sincere apology today on behalf of the British Government, and I trust the shadow defence secretary, as a former defence minister, will join me.”
