The Government could face “strong claims for substantial compensation” from those affected by a massive data breach of the personal information of Afghans who supported British forces, a lawyer has said.
Sean Humber, a specialist data breach lawyer at law firm Leigh Day, who acts for Afghan citizens affected by previous data breaches of their personal data by the Ministry of Defence (MoD), said the department “seems institutionally incapable of keeping information secure”.
It follows an unprecedented superinjunction being lifted on Tuesday, which had prevented the media from reporting that a dataset containing the personal information of nearly 19,000 people who applied for the Afghan Relocations and Assistance Policy (Arap) was released “in error” in February 2022 by a defence official.
The breach resulted in the creation of a secret Afghan relocation scheme – the Afghanistan Response Route – in April 2024, which is understood to have cost around £400 million so far and could cost up to £850 million once completed.
The Government originally outlined plans to launch a compensation scheme for those affected by the breach, with an estimated cost of between £120 and £350 million, not including administration expenses.
Hundreds of data protection legal challenges are also expected, with the court previously told that a Manchester-based law firm already had several hundred prospective clients.
Following the superinjunction being lifted, Mr Humber said that those affected could sue the Government over the “inevitable anxiety, fear and distress” caused by the breach.
He said: “Given the extreme sensitivity of the information and the numbers affected, plus the vulnerability of those affected due to the dangers they already face from the Taliban, this data breach can only be described as catastrophic.
“Those affected are likely to have strong claims for substantial compensation against the Government for failing to keep the information secure and for inevitable anxiety, fear and distress this has then caused.
“Unfortunately, this is just the latest in a long line of data breaches by the MoD of personal data of Afghan citizens who had previously worked with UK armed forces.
“Frankly, the MoD seems institutionally incapable of keeping information secure.
“There is now an urgent need for a thorough and independent review of the MoD’s whole data-processing policies and practices in order to try and prevent yet further breaches.
“We have already been approached by Afghan citizens who had applied, with their families, for relocation to the UK under the Arap scheme and who are now extremely concerned to find that their personal information may have been disclosed without their knowledge or consent.
“They are particularly concerned at the risks posed by their personal information now being in the hands of the Taliban, who continue to imprison, torture and kill those suspected of previously assisting international forces, as well as the risks of fraud and identity theft.”
The superinjunction prohibited making any reference to the existence of the court proceedings and is thought to have been the longest and widest-ranging of its kind.
Mr Justice Chamberlain said in a ruling on Tuesday that he was lifting the order following a review conducted by a retired civil servant for the Ministry of Defence.
He said that this review concluded that the Taliban “likely already possess the key information in the dataset” and that it was “unlikely that individuals would be targeted simply because of their work for the UK”.
He continued that one of the “many remarkable features” of the case was that there had been no mention of the data breach while the superinjunction was in force, which he said was “very much to the credit of the media organisations and individual journalists involved”.
Defence Secretary John Healey offered a “sincere apology” for the breach in the Commons on Tuesday, and said that the MoD has “installed new software to securely share data”.
In a statement to MPs, he said that the breach was a “serious departmental error” which “never should have happened” and was “in clear breach of strict data protection protocols”.
In response to a question from Conservative shadow defence secretary James Cartlidge, Mr Healey said: “When I did his job in that period of opposition, was that this data leak was just one of many from the Afghan schemes at the time.
“And what I can say is that since the election in this last year, we as a Government have appointed a new chief information officer.
“We have installed new software to securely share data, and we have also completed a comprehensive review of the legacy Afghan data on the casework system.”
Erin Alcock, a human rights lawyer at law firm Leigh Day, who has previously assisted hundreds of Arap applicants and family members, said that there had been “rumours circulating of an incident of this kind for some time”.
She said: “The news today is extremely concerning.
“We have been aware of rumours circulating of an incident of this kind for some time and have been concerned about any potential risks posed to our clients, particularly those remaining in Afghanistan.
“Sadly, this incident represents a catastrophic failure by the Government to protect the personal information, and therefore the safety, of what is an extremely vulnerable group of individuals.
“We will be urgently seeking clarification as to which of our many clients may have been affected and confirmation that all necessary precautions have and will be taken to mitigate any risk of harm to them.”
