The Broken Records: tracing the human cost of the 2022 British MoD leak
The Broken Records: tracing the human cost of the 2022 British MoD leak
By Harvey Depledge-Kittle on 13 Mar 2026
Executive Summary
In February 2022, a Ministry of Defence data breach exposed sensitive personal information relating to approximately 18,700 Afghan nationals who had assisted UK forces and applied for protection. The breach was not publicly disclosed for nearly two years. From September 2023, a High Court super-injunction prohibited reporting on the breach and, initially, on the existence of the injunction itself.
This report by AOAV set out to analyse the fallout of the breach, from its human costs to its institutional and strategic consequences, and sought to evaluate the government’s response to this human error.
In so doing, it found that the incident severely undermined trust in the UK’s commitments, revealing critical failures in data management and accountability. Dozens of Afghans and their relatives have reportedly been killed in incidents linked to the leak, while many more continue to live under threat or in hiding. The MoD’s resort to secrecy and delayed disclosure compounded the trauma experienced by survivors and generated significant legal and financial irregularities, drawing sharp criticism from Parliament. Taken together, the breach and its handling exposed deep institutional weaknesses.
The MoD’s use of rudimentary data systems, including Excel spreadsheets stored on SharePoint, was “neither appropriate nor adequate” for managing thousands of highly sensitive records (CPA, 2025, para. 2). Despite prior warnings arising from earlier data incidents, the Ministry failed to reform its processes in time.
When the breach was finally discovered in August 2023, officials prioritised damage control over transparency, securing a super-injunction that restricted oversight and public scrutiny.
This secretive approach shielded the government from immediate scrutiny but significantly eroded accountability. A subsequent parliamentary inquiry condemned the MoD’s actions as a “farrago of errors” and expressed a lack of confidence in the department’s ability to prevent such a disaster from recurring (CPA, 2025).
It is important that lessons are learnt from this catalogue of errors. AOAV hopes that this report is a step towards learning.
Key findings
Human Cost
The breach placed thousands of Afghan partners and their families in peril. A survey of those notified found that 87% had received direct threats to their safety, and nearly half reported a direct threat to their life (RLS, 2025b). At least 49 relatives or colleagues of affected Afghans have been killed in incidents linked to Taliban reprisals following the leak (RLS, 2025b). Psychological trauma was also widespread: 89% reported harm to their mental or physical health, as well as that of their families (RLS, 2025b). Many affected individuals remain in hiding or separated from loved ones.
Operational Failures
The incident stemmed from obsolete data-handling practices. The MoD relied on unsecured spreadsheets for critical casework, resulting in an avoidable mass disclosure of personal data (CPA, 2025). Between 2021 and 2025, the ARAP programme unit suffered 49 separate data breaches, indicating systemic failure rather than a one-off error (CPA, 2025). While the rushed environment of the Afghan evacuation heightened operational pressures, inadequate safeguards and training allowed a catastrophic mistake to occur.
Institutional Response
Once discovered, the government’s response combined urgency with opacity. A secret relocation programme, the Afghanistan Response Route (ARR), was launched in April 2024 to evacuate individuals assessed as being at heightened risk. However, most affected Afghans were not informed of the breach for nearly two years (MoD, 2025). By mid-2025, roughly 7,000 people had been identified for relocation under ARR, in addition to those covered by existing Afghan resettlement schemes (CPA, 2025). The lack of transparency surrounding ARR significantly limited external oversight of this effort.
Legal and Political Fallout
A High Court super-injunction issued in September 2023 barred any mention of the breach or even the injunction’s existence (CPA, 2025, para. 17). This exceptional measure delayed parliamentary scrutiny and complicated fiscal accountability. The MoD did not record the substantial expenditure associated with the ARR programme in its standard accounts, resulting in a £2.565 billion prior-period adjustment and a qualified audit opinion by the Comptroller and Auditor General (C&AG, 2025; CPA, 2025). Political leaders in the post-2024 government have since condemned the cover-up, with the British Labour Prime Minister Keir Starmer stating that former Conservative ministers have “serious questions to answer” over the affair (Walker, 2025). A formal apology was issued by the Defence Secretary in July 2025 once the gag order was lifted (Leigh Day, 2025).
Strategic Consequences
The breach and its handling have damaged the UK’s credibility. Allies and external observers have warned that Britain’s failure to protect its partners, followed by efforts to conceal the failure, reinforces a narrative of betrayal (The Independent, 2025). The episode risks deterring cooperation from local partners in future operations and has undermined confidence in the UK’s moral commitments. Domestically, it has also shaken public trust in the government’s competence and willingness to uphold its duty of care.
Recommendations
To address these failures and prevent similar incidents in future, this report recommends urgent reforms. The MoD and wider government must implement robust data security systems and foster an institutional culture that prioritises accountability over reputational protection. Affected individuals require comprehensive support, including expedited resettlement for those still at risk, tailored security assistance, access to mental health services, and fair compensation for losses suffered. Parliament and independent regulators should be guaranteed access to information during crises, even where confidentiality is required, to ensure that democratic oversight is not again circumvented.
In sum, only genuine transparency, redress for victims, and a renewed commitment to institutional learning can begin to restore trust and ensure that such a deadly lapse is not repeated.
Background
In April 2021, the UK government established the Afghan Relocations and Assistance Policy (ARAP) to honour a critical promise: Afghan nationals whose lives were endangered due to their work with British forces would be offered sanctuary in the UK. The urgency of this commitment intensified following the fall of Kabul in August 2021.
As the Taliban regained control, thousands of Afghans, including interpreters, military personnel, officials, and others who had assisted the UK, suddenly faced the risk of reprisals. ARAP, alongside the parallel Afghan Citizens Resettlement Scheme (ACRS), became a lifeline for these allies. By design, ARAP was intended to provide a safe pathway; in practice, however, the scheme quickly came under strain amid the chaotic evacuation and the overwhelming volume of applications. Even in its early months, warning signs emerged that the MoD’s handling of sensitive data was not fit for purpose. In one notable incident in September 2021, an MoD official accidentally copied 250 Afghan interpreters into a group email, publicly exposing their names and email addresses—a breach sufficiently serious to prompt an Information Commissioner’s Office (ICO) investigation and a £350,000 fine (NAO, 2025, para. 13). This incident proved to be an ominous precursor of what was to follow.
Against this backdrop, the MoD continued to process relocation requests from Afghan partners. The system in place was ad hoc and antiquated: a small team relied on basic office software to track tens of thousands of applicants. It was in this context that a far more devastating data breach occurred on 22 February 2022. A spreadsheet containing the personal details of 18,714 principal applicants to the ARAP scheme (and its predecessor, the Ex-Gratia Scheme for Afghan staff) was mistakenly disseminated or made accessible beyond authorised channels (CPA, 2025, para. 5). These records included applicants’ full names, dates of birth, contact information, and, in many cases, details of their family members. It was precisely the type of data that, if obtained by the Taliban, could be used to identify individuals who had assisted British forces. The breach significantly heightened the risk of retaliation against the UK’s Afghan allies.
For more than a year after February 2022, the MoD remained unaware of the error. The breach went undetected, and no disclosure was made to those affected or to oversight authorities. Meanwhile, the Taliban’s campaign of retribution against so-called “western collaborators” continued unabated, with former interpreters and soldiers already being targeted. The inadvertent leak of a list of names in this context represented a grave and foreseeable risk, compounded by the MoD’s failure to identify the breach sooner. Subsequent assessments attributed the vulnerability of ARAP data management to “inadequate systems… [and] culture” within the Ministry (CPA, 2025). In hindsight, the MoD had not only failed to secure highly sensitive data, but also failed to implement checks that might have flagged such a large-scale breach at an earlier stage.
This situation finally came to light in August 2023. On 14 August 2023, British officials were alerted that personal details from the ARAP spreadsheet had appeared on Facebook, posted openly online (NAO, 2025, para. 10). Although only a small number of names (approximately ten individuals) were initially visible, this was sufficient to confirm that the data had escaped authorised control. MoD staff moved quickly to verify the information and soon recognised the seriousness of the breach. Journalists had also identified the online material and contacted the MoD for comment. It was, by then, clear that the incident could not remain concealed (NAO, 2025, para. 10).
Eighteen months after the data had first been mishandled, the Ministry finally became aware that thousands of identities had been compromised. At that point, the government faced an immediate and complex challenge. First, to limit further dissemination of the data, where possible; and second, to protect individuals whose lives were now assessed to be at heightened risk.
Nature of the Breach
The February 2022 data breach was unprecedented in scale and sensitivity for the Ministry of Defence. An unauthorised disclosure of an entire casework spreadsheet occurred, it was effectively a consolidated list of Afghan nationals who had applied for relocation under ARAP and related programmes up to that point. The precise sequence of events leading to the leak has not been fully detailed publicly, in part due to subsequent secrecy. However, it has been characterised as the result of human error compounded by insecure data infrastructure (MoD, 2025; CPA, 2025).
In practical terms, an MoD employee handling the Excel spreadsheet appears to have mistakenly shared it through an inappropriate channel (possibly via email or an online portal) without adequate safeguards. The data was neither encrypted nor sufficiently access-controlled. In the pressured environment of processing emergency relocation requests, a single error by an unnamed official thus exposed a large volume of highly sensitive personal information (Leigh Day, 2025).
Critically, the compromised spreadsheet contained detailed personal profiles. Each entry identified an Afghan individual who had worked alongside UK forces or the UK government. The roles ranged from interpreters and drivers to individuals affiliated with special forces. It also listed those who had applied for UK protection. As such, alongside names and contact details, many entries included information relating to spouses, children, or other family members, thereby extending the circle of risk to entire households. In some cases, the spreadsheet also contained references to British personnel or military units with whom applicants had worked. As a result, the leak reportedly exposed the identities of over one hundred British nationals, including special forces personnel and intelligence officers listed as contacts or referees (Grierson, 2025).
Although the number of British names exposed was small relative to the total dataset, it illustrated the breadth and sensitivity of the information mishandled. For Afghan applicants, however, the consequences were potentially far more severe. A parliamentary report later concluded that the breach “put many thousands of Afghans at risk of reprisal from the Taliban” (CPA, 2025, p. 5).
If immediate family members of the approximately 18,700 applicants are taken into account, the number of individuals inadvertently placed at risk by the leak likely exceeded 50,000, and may have approached 100,000 when extended family networks are considered (The Independent, 2025).
The core operational failure underlying the breach was the MoD’s continued reliance on makeshift tools to manage ARAP data. Despite handling information with life-and-death implications, the ARAP team used Microsoft Excel spreadsheets stored on SharePoint as its primary case management system (CPA, 2025, para. 2). This arrangement was fundamentally ill-suited to the task. SharePoint access controls were evidently insufficient to prevent unauthorised viewing or onward sharing, while Excel lacks a comprehensive audit trail capable of tracking copying or dissemination in real time. With thousands of entries and multiple users accessing the same file, the risk of inadvertent mass disclosure was exceptionally high.
The Committee of Public Accounts later described this approach as “inappropriate” for such sensitive work, stressing that more secure systems should have been in place from the outset (CPA, 2025, para. 2). It also emerged that at least three smaller data breaches had already occurred within the ARAP programme in late 2021 (CPA, 2025, p. 5). These earlier incidents (including the September 2021 group email error) should have prompted a rapid transition to a secure casework database. Instead, only limited remedial measures were taken, and the February 2022 breach represented the catastrophic culmination of earlier warnings that went unheeded.
By the time the breach was discovered, the spreadsheet may already have been circulating for many months. The Taliban are known to exploit intelligence opportunistically, and Afghanistan was rife with rumours that lists of collaborators were in hostile hands. Media reporting later indicated that Taliban-linked individuals posted portions of the stolen data on Facebook in mid-2023, possibly to intimidate those named or provoke further disclosures (Walker, 2025). Internally, the MoD assessed that “the Taliban likely already possess the key information in the dataset” (Leigh Day, 2025).
The implication was damning: from the moment the breach occurred, every Afghan who had applied to ARAP may have been exposed to heightened risk. Even those who had managed to leave Afghanistan faced the possibility that family members remaining behind were now vulnerable. In this sense, a humanitarian relocation programme had been transformed into a source of exploitable intelligence for the Taliban as a result of a preventable failure in data handling.
In summary, the breach arose from a convergence of extreme operational stakes and inadequate safeguards. Through a basic spreadsheet error, the MoD disclosed information that placed tens of thousands of individuals at potential risk. Had a secure case management system with robust access controls and data minimisation been in place, the breach might have been avoided. Instead, human error intersected with systemic weaknesses to produce one of the most serious data failures in the Ministry’s history, with consequences that would soon unfold in tragic ways.
Institutional Responses and Failures
When the MoD fully recognised the gravity of the situation in August 2023, it faced a severe dilemma. Thousands of Afghan allies were potentially at risk as a result of a British error, yet public disclosure of the breach risked drawing further attention to compromised data and could have complicated ongoing rescue efforts. The Ministry’s response was rapid but deeply flawed, prioritising secrecy over transparency. On 25 August 2023, within days of discovering the breach, MoD officials moved to restrict the flow of information. They contacted Facebook to request the removal of posts containing leaked data (NAO, 2025, para. 11). At the same time, they initiated an internal investigation and notified the Metropolitan Police and the Information Commissioner’s Office (ICO) (NAO, 2025, paras. 10–11). The police concluded that there was no criminal offence requiring investigation, as the incident stemmed from internal error rather than external intrusion.
The ICO, as the UK’s data protection regulator, would ordinarily have been expected to conduct an independent investigation. In this case, however, the MoD’s insistence on maintaining secrecy significantly constrained the regulator’s role. Much of the relevant material was classified as “Secret” or “Top Secret” and subsequently covered by a super-injunction granted shortly thereafter. As a result, the ICO stated that it “was not in a position to conduct its own independent investigation” (NAO, 2025, para. 11). Instead, it adopted a limited advisory role, overseeing and suggesting lines of inquiry to the MoD’s internal investigators. This represented a clear departure from standard accountability mechanisms. The ICO later publicly defended its constrained approach, citing the exceptional legal and security restrictions imposed on the case (NAO, 2025, para. 11).
The most consequential institutional decision was the MoD’s request for a super-injunction. On 1 September 2023, the High Court granted the order, prohibiting any publication or media reference to the breach, or even to the existence of the injunction itself (CPA, 2025, para. 17; MoD, 2025). Such injunctions are rare and typically reserved for cases involving acute national security concerns or extreme risks to personal safety. The MoD justified the measure on national security grounds, arguing that public acknowledgement of the breach could further endanger those named by confirming to the Taliban that the UK government was aware of the leak. Critics later challenged this rationale, noting that the personal details had already entered the public domain as a result of the breach and that Taliban actors were likely to have obtained the data rapidly (The Independent, 2025). Nonetheless, the injunction effectively removed the incident from public scrutiny. Knowledge of the breach was tightly compartmentalised within government, ministers treated the matter as highly classified, and Parliament was not informed.
This enforced secrecy had immediate institutional consequences. Established channels of oversight were bypassed. The Committee of Public Accounts (CPA), which would ordinarily be alerted to incidents involving substantial public expenditure and liability, received no information. The National Audit Office (NAO), responsible for auditing government accounts, was similarly excluded. During scrutiny of the MoD’s 2023–24 annual accounts, officials provided only a vague indication to a senior NAO official that a “secret matter” involving a data breach existed, without further detail, and the issue was omitted from the published accounts (The Register, 2025). Senior NAO leadership, including the Comptroller and Auditor General (C&AG), remained unaware of the nature and scale of the breach until July 2025 (MoD, 2025; CPA, 2025). Consequently, for almost two fiscal years, the MoD’s handling of the breach—including the associated costs—fell outside normal mechanisms of democratic and financial accountability. The MoD Permanent Secretary later described this situation as “deeply uncomfortable” (MoD, 2025), reflecting the unease created by prolonged exclusion of parliamentary oversight.
Behind the scenes, the government sought to mitigate the damage. A dedicated relocation effort, the Afghanistan Response Route (ARR), was established to extract individuals assessed to be at heightened risk as a result of the breach. Launched in April 2024, once legal and operational preparations were in place, ARR operated alongside existing Afghan resettlement schemes (Leigh Day, 2025; CPA, 2025). Eligibility extended beyond those previously accepted under ARAP, including some family members and individuals whose applications had been refused but whose identities had nonetheless been exposed. ARR necessarily operated in secrecy. Evacuations were conducted discreetly, and in some cases local authorities in the UK were not informed of the specific rationale for arrivals. By mid-2025, approximately 7,000 individuals had been identified for relocation under ARR, with more than 3,000 reportedly evacuated (CPA, 2025; The Register, 2025). While these operations undoubtedly saved lives, they were implemented on an ad hoc basis and placed considerable strain on resources. To avoid drawing attention to the programme, the MoD chose not to establish dedicated budget lines for ARR expenditure (CPA, 2025). Instead, costs were absorbed into broader resettlement spending or not fully itemised, a decision that later necessitated a substantial retrospective financial adjustment.
The institutional response also included reforms to data handling practices, though these were delayed. Following the breach, the MoD approved the development of a secure, purpose-built case management system, recognising that reliance on Excel and SharePoint was no longer tenable (The Register, 2025). By late 2025, the Ministry stated that the new system was operational, offering improved access controls and audit functionality (The Register, 2025). However, this reform came only after numerous data incidents had already occurred. The CPA noted that the MoD was aware of serious risks to data security after three separate ARAP-related breaches in autumn 2021 and had implemented some limited fixes, yet “continued to experience data breaches”, culminating in the 2022 incident (CPA, 2025, p. 5). The failure was therefore not solely technical but institutional and cultural. An ICO review observed that, although data protection processes formally existed, ARAP staff were “working at pace” under acute pressure and were sharing data externally without appropriate systems, driven by the perceived urgency of a “clear threat to life” emergency (NAO, 2025, para. 12). In practice, data security was treated as secondary to operational urgency. Ironically, this prioritisation undermined the very objective of the scheme by exposing those it was designed to protect to greater danger.
In sum, the MoD’s response to the breach combined urgent remedial action with significant institutional misjudgement. While efforts to relocate those at risk were critical, the decision to prioritise secrecy over transparency weakened accountability and trust. Oversight bodies were sidelined, warnings were insufficiently acted upon, and reforms were implemented only after severe harm had already occurred. As the CPA concluded, the episode represented “a grave risk to thousands of lives and a cost to the taxpayer in the hundreds of millions, at least”, while the Committee “[lacked] confidence in the MoD’s current ability to prevent such an incident happening again” (CPA, 2025). This assessment underscores that the failures were not confined to a single error or individual, but reflected deeper, systemic weaknesses requiring sustained reform.
Legal and Political Fallout
The legal and political consequences of the 2022 Afghan data breach have been far-reaching, drawing the Ministry of Defence and the wider government into sustained controversy. Legally, the imposition of a super-injunction in September 2023 represented an exceptional restriction on transparency. For nearly two years, the order prevented public reporting on the breach, raising significant concerns about state secrecy and democratic accountability. Politically, when the existence of the breach became public in mid-2025, it triggered intense criticism and debate, including rare public disagreement between current and former government officials over the propriety of the secrecy surrounding the incident.
One immediate legal consequence concerned the MoD’s financial accounting and oversight. Expenditure associated with the emergency Afghanistan Response Route (ARR) relocations escalated rapidly from late 2023, encompassing transport, accommodation, legal costs, and security measures. Ordinarily, such significant spending would be disclosed to Parliament and subject to scrutiny. However, the super-injunction prevented the MoD from explaining the purpose of this expenditure publicly. To avoid breaching the court order, the Ministry chose not to separately itemise ARR costs or establish a transparent audit trail in its 2023–24 accounts (CPA, 2025). This approach proved unsustainable. Once the injunction was lifted, the MoD was required to implement a prior-period adjustment of £2.565 billion to retroactively recognise costs linked to Afghan relocations and associated legal liabilities (C&AG, 2025; CPA, 2025). This adjustment led the Comptroller and Auditor General to issue a qualified audit opinion on the MoD’s 2024–25 accounts (C&AG, 2025). A qualified opinion for a major government department is a serious indicator of non-compliance with standard financial controls. In this case, the qualification stemmed from what the C&AG described as “breaches of expenditure controls” (C&AG, 2025), reflecting spending undertaken without normal approvals or transparency. While the MoD argued that standard procedures could not be followed without violating the injunction, the Committee of Public Accounts (CPA) later criticised the situation sharply, highlighting the strain placed on the National Audit Office and the effective circumvention of parliamentary oversight over a multi-billion-pound issue (CPA, 2025).
A further legal dimension concerned regulatory enforcement. Although the Information Commissioner’s Office (ICO) was notified of the breach in 2023, its ability to respond was constrained by the secrecy surrounding the case. Ultimately, the ICO decided not to impose a fine or formal enforcement notice in relation to the 2022 breach (NAO, 2025, para. 13). This contrasted with its response to the earlier 2021 ARAP-related breach, for which the MoD was fined £350,000 (NAO, 2025, para. 13). The ICO explained that by the time it was able to engage fully—following the lifting of the injunction in July 2025—the MoD had already implemented remedial measures and was cooperating with ongoing oversight, reducing the perceived value of punitive sanctions. Nevertheless, some privacy advocates questioned this decision, arguing that the scale of harm warranted a clearer enforcement response. The ICO defended its position by citing the exceptional circumstances of a life-critical evacuation and the continued classification of much of the relevant evidence (ICO, 2025[NS1] ). The absence of a fully independent regulatory investigation has left aspects of the breach unresolved in the public domain, including the extent of individual accountability within the MoD. No criminal proceedings or disciplinary dismissals have been publicly reported, and accountability may instead be pursued through civil litigation. Several affected Afghans, supported by human rights law firms, are exploring legal action against the MoD for negligence and resulting harm (Leigh Day, 2025).
The political fallout intensified after the super-injunction was lifted on 15 July 2025, following a High Court ruling that continued secrecy was no longer justified (Leigh Day, 2025). This disclosure coincided with the installation of a new government following a general election. Prime Minister Keir Starmer publicly criticised the previous Conservative administration, stating that former ministers had “serious questions to answer” regarding both the handling of the breach and the prolonged secrecy surrounding the relocation programme (Walker, 2025). Such direct criticism by a sitting Prime Minister of predecessors on a national-security-related issue was unusual and reflected broader concerns that the prior response prioritised reputational management over transparency.
Senior figures from the previous government rejected this characterisation. Grant Shapps, who served briefly as Defence Secretary in 2023, defended the decision to maintain the injunction, arguing that secrecy was intended to protect lives and enable discreet evacuations without provoking reprisals (Grierson, 2025). Critics challenged this justification, noting that Taliban actors were unlikely to require public confirmation to exploit leaked data and that delayed notification may have left many affected Afghans exposed to prolonged risk (The Independent, 2025). Parliamentary scrutiny reflected this scepticism. The House of Commons Defence Select Committee opened an inquiry into the Afghan data breach and resettlement schemes in late 2025, soliciting evidence from government officials, experts, and civil society organisations. Submissions to the inquiry, including those from Refugee Legal Support, documented severe human impacts and alleged governance failures, intensifying pressure on ministers to account for their decisions (RLS, 2025b).
Separately, the Committee of Public Accounts published a highly critical report, the Fifty-Fourth Report of Session 2024–26, which characterised the MoD’s handling of the breach as a “catalogue of mistakes” (CPA, 2025). The Committee criticised the Ministry for failing to act on prior warnings and for creating what it described as a “deeply uncomfortable” democratic deficit by withholding information from Parliament and the NAO (CPA, 2025, paras. 17–18). Summarising the findings, the Committee’s Chair stated that these risks “ultimately resulted in the 2022 breach, presenting a grave risk to thousands of lives and a cost to the taxpayer”, while expressing a lack of confidence in the MoD’s ability to prevent a recurrence (CPA, 2025). The CPA recommended urgent confirmation that secure case management systems were in place and the establishment of clear protocols for notifying oversight bodies even where confidentiality is required.
The controversy also intersected with wider political debates on immigration and asylum. Media reporting that thousands of Afghans had been relocated to the UK in secret, at a cost exceeding £850 million, prompted divergent responses across the political spectrum (Guardian/Reuters, 2025[NS2] ). Refugee advocates argued that the episode demonstrated the state’s capacity to resettle large numbers rapidly when political will exists, and that such action should be transparent and accompanied by adequate support and compensation. Others raised concerns about integration and security, despite the absence of evidence that those relocated under ARR posed any security risk. These debates fed into broader tensions within UK politics between commitments to international obligations and domestic migration narratives. While the current government has adopted a more openly sympathetic tone, it has also proceeded cautiously, reflecting the continued sensitivity of asylum policy.
In conclusion, the legal and political fallout from the Afghan data breach remains ongoing but has already been substantial. Legally, it tested the boundaries of official secrecy and accountability in cases of large-scale data failure. Politically, it has become both a site of partisan contestation and a broader lesson in the costs of governance failures. The episode illustrates how attempts to contain reputational damage through secrecy can ultimately intensify scrutiny, erode public trust, and generate lasting institutional consequences.
Human Impact
Beyond the institutional and political consequences lies the most tragic aspect of the breach: the human cost. For Afghan individuals and families whose personal details were exposed, the consequences have been profound. These people were already among the most vulnerable: by applying to the ARAP scheme, they had effectively signalled that they were at risk of Taliban retaliation. The data leak heightened that danger. It is difficult to overstate the fear and distress that spread through this community of “affected Afghans” once the breach became known to them, which occurred long after it became known to those who might seek to exploit the information.
In July 2025, when the MoD began notifying those on the list about the breach, nearly two and a half years after the incident, the news confirmed what many suspected based on the threats they had been experiencing. A survey conducted by Refugee Legal Support (RLS) in late 2025 of Afghans who received the MoD’s notification sets out the scale of reported harm (RLS, 2025b). According to the survey, 87% of respondents said they had experienced personal threats or risks to family members since the breach (RLS, 2025b). These threats included specific death threats, reports of Taliban members appearing at homes, and messages referencing respondents’ work with foreign forces. The survey also recorded reported violence: 43% stated they had received a direct threat against their own life, and 52% reported that relatives or friends in Afghanistan had been explicitly threatened by Taliban elements (RLS, 2025b).
A significant number of respondents also reported fatal outcomes. Among those surveyed, at least 49 individuals stated that a colleague or family member had been killed in circumstances they linked to the data breach (RLS, 2025b; Walker, 2025). Some accounts describe incidents in which Taliban operatives allegedly used names and associations from the spreadsheet to identify and target individuals. For example, one respondent reported that a family member was killed in retaliation for the respondent’s past work with UK forces, while another reported the killing of a former colleague after being identified through leaked information (RLS, 2025b). Such reports remain difficult to independently verify, but they are consistent with documented Taliban patterns of retribution against perceived collaborators. As one Afghan veteran observed, “Afghans who served alongside UK forces have faced renewed threats, violent assaults, and even the killing of family members after their personal details were exposed” (Clark, quoted in Walker, 2025). For many affected families, the consequences have been both immediate and severe.
Even where respondents had not experienced physical harm, the psychological and social toll reported was substantial. The RLS survey found that 89% of notified individuals reported negative impacts on their physical or mental health, and an equal proportion said their family’s wellbeing had been adversely affected (RLS, 2025b). Reported impacts included chronic anxiety, depression, and acute stress. One former member of the Afghan National Security Forces described living in constant fear: “My family and I continue to face intimidation, repeated house searches, and ongoing danger to our safety” (RLS, 2025b, Respondent 117). Another respondent, an Afghan National Army veteran still in Afghanistan, stated: “A couple of weeks after [the data leak] was made known, I was recognised by the Taliban and badly beaten up” (RLS, 2025b, Respondent 43). In another testimony, a respondent described the torture of a family member by Taliban fighters who accused the family of being traitors and referenced the son’s work with foreign forces (RLS, 2025b, Respondent 171). For those who managed to leave Afghanistan and are awaiting resettlement in third countries, or those now in the UK, survivor’s guilt and fear for relatives left behind compound the trauma. A former interpreter now in Britain reported: “Following the leak, the Taliban searched my family home and continue to threaten my relatives… They question my family about me every day” (RLS, 2025b, Respondent 88).
The breach also damaged trust in the UK’s commitments. For those affected, the realisation that their application for protection may itself have increased their exposure to harm was deeply destabilising. One Afghan affected stated: “The delay between the discovery of the data breach in 2023 and [our] communication in July 2025 is deeply concerning and unacceptable. Waiting almost two years to inform us that our personal data was compromised has put many lives at risk unnecessarily” (former ANA officer, quoted in Walker, 2025). The delayed notification meant that many were denied the opportunity to take risk-mitigation measures, such as changing location or contact details, at an earlier stage. Several respondents reported feeling “abandoned” or “sacrificed” by the delay (RLS, 2025b). Even after notification, many viewed the support offered as limited. RLS reported that the MoD’s primary means of notification was an email or letter referring to a “data incident” and providing security advice (RLS, 2025b). Only 38% of affected Afghans reported that the MoD’s security advice was helpful (RLS, 2025b). Respondents described the guidance as overly general, and therefore inadequate to their circumstances. As one respondent noted, “When our personal info is already accessible to the Taliban, advice about using a VPN or not oversharing online does little. The risks remain regardless” (RLS, 2025b).
For those evacuated to the UK under ARR or other schemes, new challenges have emerged. Resettlement has not always been smooth. Some evacuees reported prolonged stays in temporary accommodation and delays in processing immigration status. “The agency that helped us resettle treated us awfully,” stated one interpreter now in the UK (RLS, 2025b, Respondent 249). Another recurring theme is family reunification. Many of those relocated were separated from extended family members who remain at risk. Under standard eligibility rules, not all relatives qualify for relocation, but affected individuals have argued that the breach significantly elevates risk for family members named or identifiable through the leaked data. At the time of writing, some have been able to sponsor additional relatives, while others remain in prolonged uncertainty. The psychological burden of separation, combined with earlier trauma, has led some mental health professionals to warn of a serious support requirement for this cohort. Afghan refugees already carry trauma from war and displacement; the breach added a further layer of distress associated with perceived institutional failure by the state they trusted (British Psychological Society briefing, 2025[NS3] ).
Amid these outcomes, Afghan communities and supporting organisations have also mobilised to provide mutual support. Groups in the UK have formed networks to assist new arrivals in navigating resettlement, while refugee organisations and legal charities have advocated for expedited processing and additional support, including through preparations for group litigation. Their central argument is that individuals were exposed to danger through no fault of their own as a result of a UK government failure and therefore require timely protection and redress. Some affected individuals have spoken anonymously to the media, describing their experiences and shaping wider public understanding of the issue. As one account described, an Afghan special forces veteran living precariously in Iran reported severe anxiety after being denied ARAP and later being informed that his risk level had increased due to the breach (RLS, 2025b). Such testimonies have contributed to public recognition that those affected are individuals who worked alongside the UK and are now bearing the consequences of institutional failure.
In closing, the human impact of the MoD data breach remains an ongoing tragedy. Lives have been lost, disrupted, and placed under severe strain. A community that supported the UK in conflict has borne a heavy cost through no fault of its own. While the UK’s subsequent actions, including evacuations and a formal apology, have provided some protection, they occurred only after prolonged delay. For many affected Afghans, the psychological and practical consequences will endure for years. As one Afghan now in Britain remarked: “We might be in a safe place now, but the nightmares are still with us, of what happened to us, and what might still happen to those we love back home.”
Public Trust and Strategic Consequences
The fallout from the Afghan data breach has not been confined to those directly affected; it has also reverberated through the broader realms of public trust and the UK’s strategic credibility. At its heart, this incident strikes at a fundamental expectation: that the British government will protect those who risk their lives to aid its missions. The breach – and the subsequent secrecy – delivered a double blow to that expectation, raising doubts about the UK’s reliability as an ally and about the government’s commitment to transparency and accountability at home.
Public Trust in Government
Within the UK, revelations of the MoD’s mishandling of the breach and the prolonged secrecy that followed have dented public confidence in the Ministry and in government more generally. The Ministry of Defence is typically regarded as a high-trust institution, closely associated with national security and the armed forces. Learning that the MoD could lose sensitive personal data on such a scale, and then conceal the incident, caused concern even among supporters of the defence establishment. Editorials in major British newspapers, from The Times to The Guardian, criticised the MoD’s competence and candour. Many members of the public were unaware that a super-injunction had prevented reporting and parliamentary discussion until after it was lifted. Its existence prompted warnings that Britain was “entering a dangerous era” in which national security is invoked to obscure major failures and stifle democratic debate (Burges, 2025).
While national security can legitimately require secrecy, critics argued that this case did not meet that threshold, since the most sensitive information—the identities of Afghan collaborators—had already been exposed by the breach itself. Instead, the injunction’s principal effect was perceived as shielding officials and ministers from immediate scrutiny. Such perceptions reinforced a narrative of a government more focused on avoiding accountability than addressing institutional failure. In a context of already fragile trust in public institutions, the episode provided further ammunition for critics who argue that the British state has become overly secretive and prone to cover-ups. These concerns were compounded when financial irregularities became public, including the disclosure that £2.6 billion had been spent without transparent accounting. This raised fears that the government had been “playing fast and loose” with taxpayer funds under the cloak of secrecy. Even citizens with limited interest in foreign policy expressed alarm at the scale of unaccounted expenditure and at an NAO audit opinion that effectively stated, “we can’t be sure where the money went.” Polling data in late 2025 reflected a modest decline in confidence in the MoD’s administrative competence and a sharper fall in approval of how the government handled Afghan refugees (YouGov, 2025). While public trust can recover, such episodes tend to leave a lasting residue of doubt.
Credibility with Allies and Local Partners
Internationally, the breach has raised uncomfortable questions about the UK’s reputation. Britain has long emphasised principles such as loyalty to those who serve alongside it and respect for the rule of law. The Afghan data breach undermined those claims. Allies including the United States, Canada, and European NATO members all faced comparable challenges during the Afghan evacuation and operated their own resettlement schemes. Background reporting by BBC correspondents in Washington and Brussels suggested that some defence officials expressed concern about the UK’s handling of sensitive partner data.
While allied governments have refrained from public criticism, there has been private concern that the breach’s implications could extend beyond the UK. Where Afghan partners worked with multiple international forces, compromised UK data could expose individuals linked to other states. Strategically, the episode has been cited as a cautionary example of inadequate data governance in multinational operations. NATO and other defence forums have reportedly discussed establishing minimum data protection standards for future evacuations and programmes involving vulnerable partners. The broader lesson is that humanitarian and stabilisation operations require information security standards comparable to those applied in military contexts.
The incident has also fed into what some commentators describe as the “perfidious Albion” narrative, a long-standing trope portraying Britain as unreliable in its commitments. The Independent (2025) explicitly drew a line from historical betrayals to this modern case, arguing that the failure to protect Afghan allies, followed by secrecy, would reinforce distrust in Britain’s word. In future operational theatres, adversaries may use the breach as propaganda: “Look what befell those who trusted the British – they were left for dead.” Taliban messaging in 2025 framed the breach as proof of Western perfidy, with spokesmen claiming that “Allah has exposed the helpers of the infidels” and portraying the UK’s secret evacuations as evidence of panic. While local allies often continue to cooperate despite such risks, each episode of this kind makes recruitment and trust-building more difficult. Strategically, the credibility of assurances given to local staff matters not only morally but operationally; without trusted local networks, missions become far less effective.
Moral Authority and Soft Power
The UK has long sought to project influence through its values and humanitarian commitments. The chaotic withdrawal from Afghanistan in 2021 had already damaged this image, and schemes such as ARAP were intended to preserve some moral authority by protecting those who had assisted UK forces. The data breach, and the secrecy that followed, further tarnished that effort. International human rights organisations criticised the UK’s actions. Amnesty International stated that the breach “shamefully imperilled the very people the UK promised to protect” and called for an independent inquiry and reparations. The UN High Commissioner for Refugees more cautiously noted that “lessons must be learned” to ensure the safety of refugees and those at risk. Together, these responses weakened the UK’s standing as a leader in refugee protection. Adversarial states also seized on the incident. Russian and Chinese state media highlighted the breach as evidence of Western incompetence and duplicity, reinforcing a narrative that the withdrawal from Afghanistan was not only chaotic but callous. While such coverage is politically motivated, it nonetheless contributes to the erosion of UK soft power.
Domestic Morale within Institutions
A further strategic consequence has been felt within the UK’s own institutions. Many service personnel who served in Afghanistan formed close bonds with local interpreters and partners, and for them ARAP represented a moral obligation to former comrades. Awareness that a bureaucratic failure undermined that commitment has been demoralising. Former military personnel have voiced anger in the press and in parliamentary evidence, recalling friends who went into hiding or suffered harm during prolonged delays. Such disillusionment risks corroding confidence in leadership. Within the civil service, the episode has prompted reflection on risk management and escalation practices, including whether warning signs were missed or constrained by compartmentalisation. Strategically, institutions that confront failures openly can adapt and strengthen; those that do not risk repetition. Ensuring that lessons are fully internalised through training, procedural reform, and accountability is essential for restoring confidence among staff and the public.
In summary, the strategic and trust-related consequences of the Afghan data breach extend far beyond the immediate incident. It has unsettled allies, weakened public confidence, and potentially complicated future operations. The UK’s credibility as a reliable partner and a state committed to openness has been undermined. Rebuilding that credibility will require sustained and demonstrable reform. As one assessment concluded, “When Britain’s allies put their lives on the line, we abandoned them – and covered it all up” (The Independent, 2025). Addressing that critique directly is essential if the UK is to move forward with its moral authority intact.
Recommendations
Addressing the fallout of the 2022 MoD data breach and preventing similar failures in the future will require a comprehensive set of actions. These recommendations focus on restoring trust, providing redress to those harmed, and reforming the systems and institutional culture that allowed the breach and its flawed handling to occur. They draw on parliamentary findings, expert assessments, and the testimony of affected individuals. The following measures are proposed:
1. Overhaul Data Management and Security Protocols
The Ministry of Defence must fully transition all sensitive casework, including refugee and local staff programmes, to secure, purpose-built information systems. Reliance on ad hoc tools such as spreadsheets is no longer acceptable. A modern case-management platform with strict role-based access controls, encryption, and comprehensive audit logging should be fully operational (CPA, 2025). All staff handling personal data should receive enhanced training in data protection and cyber-hygiene. Regular audits and stress-testing of systems should be conducted to ensure resilience. Crucially, departmental culture must treat data security as integral to mission success rather than a secondary administrative concern. Senior leadership should be accountable for maintaining these standards, including through performance assessments or budgetary oversight linked to information-assurance compliance.
2. Establish Clear Accountability and Transparency Mechanisms
In the event of future data breaches or comparable incidents, departments should not unilaterally decide to withhold information from oversight bodies. Clear protocols should be developed, potentially under Cabinet Office guidance, for briefing the National Audit Office, relevant Select Committee chairs, and ministers in confidence where national security sensitivities apply. Consideration could also be given to appointing an independent reviewer to oversee the handling of such incidents. The objective is to preserve democratic scrutiny even where public disclosure must be temporarily limited. Where extraordinary legal measures such as super-injunctions are sought, they should be subject to regular judicial review rather than open-ended secrecy. Parliament may wish to consider legislative safeguards, including sunset clauses or mandatory oversight provisions, for injunctions involving public authorities. Overall, a presumption in favour of transparency should apply unless a clearly substantiated case is made otherwise (CPA, 2025).
3. Provide Full Redress and Support for Affected Individuals
The government has a clear moral obligation to those placed at risk by this breach. Expedited relocation should be offered to all remaining Afghan applicants and immediate family members whose data was compromised and who wish to come to the UK, with clear timelines for resolving the current backlog (RLS, 2025b). Cases previously refused under ARAP or ACRS but involving individuals named in the leaked dataset should be proactively reopened and reassessed in light of the heightened risk (RLS, 2025b). For those already in the UK or awaiting relocation in third countries, comprehensive support packages are required. These should include tailored security assistance, access to mental health services, and practical integration support such as language training and employment assistance. A dedicated communication channel should be established to allow affected Afghans to report threats and seek timely help, potentially in partnership with international organisations such as UNHCR for those outside the UK (RLS, 2025b).
4. Implement a Fair Compensation Scheme
Many affected individuals have experienced serious material and psychological harm, including prolonged hiding, loss of income or property, and the death of family members. The government should establish a compensation scheme to provide financial redress without requiring prolonged litigation. Such a scheme would acknowledge responsibility and may reduce the need for costly and protracted legal action. It should be administered with input from an independent panel to assess claims fairly and consistently. While financial compensation cannot undo the harm suffered, targeted support, such as assistance for resettled families, educational support for children, or stipends for those unable to work, would represent tangible accountability. Existing precedents for compensation following state failures may inform the design of this mechanism.
5. Strengthen Interdepartmental Coordination and Planning
A contributing factor to the failure was the concentration of responsibility for Afghan resettlement within the MoD, an institution not structured for long-term refugee management. Future operations combining defence and humanitarian objectives should be managed through joint task forces involving the Home Office, the Foreign Office, and other relevant departments from the outset. This may have mitigated reliance on MoD-specific systems rather than established asylum-case infrastructure. Regular scenario planning for high-risk contingencies, including data breaches, should be conducted with input from security, legal, and communications specialists to avoid improvised responses under crisis conditions. Building institutional resilience requires planning for failure as well as success.
6. Reaffirm Ethical Commitments and Communicate Lessons Learned
Restoring credibility will require public acknowledgment as well as internal reform. The government should formally recognise the harm caused by the breach, ideally through a parliamentary statement, and reaffirm its commitment to safeguarding those who support UK operations. The Defence Secretary’s apology in 2025 was an important step, but it should be followed by regular updates to Parliament on the implementation of reforms. Publishing a suitably redacted summary of the MoD’s internal investigation, once security considerations permit, would further support transparency. Internationally, the UK should share lessons learned with allies to strengthen collective practice, as is already occurring in NATO discussions. In future engagements involving local partners, the UK must demonstrate, not merely assert, that systems and processes have been reformed. The narrative must move from “Britain betrayed its allies” to “Britain learned from a grave mistake and is determined to never repeat it.”
Implementing these recommendations will require financial resources, administrative effort, and political resolve. However, the costs of inaction or partial reform would be greater. Restoring trust, both among those directly affected and within the wider public, is essential.
The 2022 Afghan data breach exposed serious institutional weaknesses; the responsibility now is to ensure it becomes a catalyst for durable reform, so that those harmed did not suffer in vain and future partners can have confidence in the integrity and responsibility of British institutions.
By Harvey Depledge-Kittle on 13 Mar 2026
Executive Summary
In February 2022, a Ministry of Defence data breach exposed sensitive personal information relating to approximately 18,700 Afghan nationals who had assisted UK forces and applied for protection. The breach was not publicly disclosed for nearly two years. From September 2023, a High Court super-injunction prohibited reporting on the breach and, initially, on the existence of the injunction itself.
This report by AOAV set out to analyse the fallout of the breach, from its human costs to its institutional and strategic consequences, and sought to evaluate the government’s response to this human error.
In so doing, it found that the incident severely undermined trust in the UK’s commitments, revealing critical failures in data management and accountability. Dozens of Afghans and their relatives have reportedly been killed in incidents linked to the leak, while many more continue to live under threat or in hiding. The MoD’s resort to secrecy and delayed disclosure compounded the trauma experienced by survivors and generated significant legal and financial irregularities, drawing sharp criticism from Parliament. Taken together, the breach and its handling exposed deep institutional weaknesses.
The MoD’s use of rudimentary data systems, including Excel spreadsheets stored on SharePoint, was “neither appropriate nor adequate” for managing thousands of highly sensitive records (CPA, 2025, para. 2). Despite prior warnings arising from earlier data incidents, the Ministry failed to reform its processes in time.
When the breach was finally discovered in August 2023, officials prioritised damage control over transparency, securing a super-injunction that restricted oversight and public scrutiny.
This secretive approach shielded the government from immediate scrutiny but significantly eroded accountability. A subsequent parliamentary inquiry condemned the MoD’s actions as a “farrago of errors” and expressed a lack of confidence in the department’s ability to prevent such a disaster from recurring (CPA, 2025).
It is important that lessons are learnt from this catalogue of errors. AOAV hopes that this report is a step towards learning.
Key findings
Human Cost
The breach placed thousands of Afghan partners and their families in peril. A survey of those notified found that 87% had received direct threats to their safety, and nearly half reported a direct threat to their life (RLS, 2025b). At least 49 relatives or colleagues of affected Afghans have been killed in incidents linked to Taliban reprisals following the leak (RLS, 2025b). Psychological trauma was also widespread: 89% reported harm to their mental or physical health, as well as that of their families (RLS, 2025b). Many affected individuals remain in hiding or separated from loved ones.
Operational Failures
The incident stemmed from obsolete data-handling practices. The MoD relied on unsecured spreadsheets for critical casework, resulting in an avoidable mass disclosure of personal data (CPA, 2025). Between 2021 and 2025, the ARAP programme unit suffered 49 separate data breaches, indicating systemic failure rather than a one-off error (CPA, 2025). While the rushed environment of the Afghan evacuation heightened operational pressures, inadequate safeguards and training allowed a catastrophic mistake to occur.
Institutional Response
Once discovered, the government’s response combined urgency with opacity. A secret relocation programme, the Afghanistan Response Route (ARR), was launched in April 2024 to evacuate individuals assessed as being at heightened risk. However, most affected Afghans were not informed of the breach for nearly two years (MoD, 2025). By mid-2025, roughly 7,000 people had been identified for relocation under ARR, in addition to those covered by existing Afghan resettlement schemes (CPA, 2025). The lack of transparency surrounding ARR significantly limited external oversight of this effort.
Legal and Political Fallout
A High Court super-injunction issued in September 2023 barred any mention of the breach or even the injunction’s existence (CPA, 2025, para. 17). This exceptional measure delayed parliamentary scrutiny and complicated fiscal accountability. The MoD did not record the substantial expenditure associated with the ARR programme in its standard accounts, resulting in a £2.565 billion prior-period adjustment and a qualified audit opinion by the Comptroller and Auditor General (C&AG, 2025; CPA, 2025). Political leaders in the post-2024 government have since condemned the cover-up, with the British Labour Prime Minister Keir Starmer stating that former Conservative ministers have “serious questions to answer” over the affair (Walker, 2025). A formal apology was issued by the Defence Secretary in July 2025 once the gag order was lifted (Leigh Day, 2025).
Strategic Consequences
The breach and its handling have damaged the UK’s credibility. Allies and external observers have warned that Britain’s failure to protect its partners, followed by efforts to conceal the failure, reinforces a narrative of betrayal (The Independent, 2025). The episode risks deterring cooperation from local partners in future operations and has undermined confidence in the UK’s moral commitments. Domestically, it has also shaken public trust in the government’s competence and willingness to uphold its duty of care.
Recommendations
To address these failures and prevent similar incidents in future, this report recommends urgent reforms. The MoD and wider government must implement robust data security systems and foster an institutional culture that prioritises accountability over reputational protection. Affected individuals require comprehensive support, including expedited resettlement for those still at risk, tailored security assistance, access to mental health services, and fair compensation for losses suffered. Parliament and independent regulators should be guaranteed access to information during crises, even where confidentiality is required, to ensure that democratic oversight is not again circumvented.
In sum, only genuine transparency, redress for victims, and a renewed commitment to institutional learning can begin to restore trust and ensure that such a deadly lapse is not repeated.
Background
In April 2021, the UK government established the Afghan Relocations and Assistance Policy (ARAP) to honour a critical promise: Afghan nationals whose lives were endangered due to their work with British forces would be offered sanctuary in the UK. The urgency of this commitment intensified following the fall of Kabul in August 2021.
As the Taliban regained control, thousands of Afghans, including interpreters, military personnel, officials, and others who had assisted the UK, suddenly faced the risk of reprisals. ARAP, alongside the parallel Afghan Citizens Resettlement Scheme (ACRS), became a lifeline for these allies. By design, ARAP was intended to provide a safe pathway; in practice, however, the scheme quickly came under strain amid the chaotic evacuation and the overwhelming volume of applications. Even in its early months, warning signs emerged that the MoD’s handling of sensitive data was not fit for purpose. In one notable incident in September 2021, an MoD official accidentally copied 250 Afghan interpreters into a group email, publicly exposing their names and email addresses—a breach sufficiently serious to prompt an Information Commissioner’s Office (ICO) investigation and a £350,000 fine (NAO, 2025, para. 13). This incident proved to be an ominous precursor of what was to follow.
Against this backdrop, the MoD continued to process relocation requests from Afghan partners. The system in place was ad hoc and antiquated: a small team relied on basic office software to track tens of thousands of applicants. It was in this context that a far more devastating data breach occurred on 22 February 2022. A spreadsheet containing the personal details of 18,714 principal applicants to the ARAP scheme (and its predecessor, the Ex-Gratia Scheme for Afghan staff) was mistakenly disseminated or made accessible beyond authorised channels (CPA, 2025, para. 5). These records included applicants’ full names, dates of birth, contact information, and, in many cases, details of their family members. It was precisely the type of data that, if obtained by the Taliban, could be used to identify individuals who had assisted British forces. The breach significantly heightened the risk of retaliation against the UK’s Afghan allies.
For more than a year after February 2022, the MoD remained unaware of the error. The breach went undetected, and no disclosure was made to those affected or to oversight authorities. Meanwhile, the Taliban’s campaign of retribution against so-called “western collaborators” continued unabated, with former interpreters and soldiers already being targeted. The inadvertent leak of a list of names in this context represented a grave and foreseeable risk, compounded by the MoD’s failure to identify the breach sooner. Subsequent assessments attributed the vulnerability of ARAP data management to “inadequate systems… [and] culture” within the Ministry (CPA, 2025). In hindsight, the MoD had not only failed to secure highly sensitive data, but also failed to implement checks that might have flagged such a large-scale breach at an earlier stage.
This situation finally came to light in August 2023. On 14 August 2023, British officials were alerted that personal details from the ARAP spreadsheet had appeared on Facebook, posted openly online (NAO, 2025, para. 10). Although only a small number of names (approximately ten individuals) were initially visible, this was sufficient to confirm that the data had escaped authorised control. MoD staff moved quickly to verify the information and soon recognised the seriousness of the breach. Journalists had also identified the online material and contacted the MoD for comment. It was, by then, clear that the incident could not remain concealed (NAO, 2025, para. 10).
Eighteen months after the data had first been mishandled, the Ministry finally became aware that thousands of identities had been compromised. At that point, the government faced an immediate and complex challenge. First, to limit further dissemination of the data, where possible; and second, to protect individuals whose lives were now assessed to be at heightened risk.
Nature of the Breach
The February 2022 data breach was unprecedented in scale and sensitivity for the Ministry of Defence. An unauthorised disclosure of an entire casework spreadsheet occurred, it was effectively a consolidated list of Afghan nationals who had applied for relocation under ARAP and related programmes up to that point. The precise sequence of events leading to the leak has not been fully detailed publicly, in part due to subsequent secrecy. However, it has been characterised as the result of human error compounded by insecure data infrastructure (MoD, 2025; CPA, 2025).
In practical terms, an MoD employee handling the Excel spreadsheet appears to have mistakenly shared it through an inappropriate channel (possibly via email or an online portal) without adequate safeguards. The data was neither encrypted nor sufficiently access-controlled. In the pressured environment of processing emergency relocation requests, a single error by an unnamed official thus exposed a large volume of highly sensitive personal information (Leigh Day, 2025).
Critically, the compromised spreadsheet contained detailed personal profiles. Each entry identified an Afghan individual who had worked alongside UK forces or the UK government. The roles ranged from interpreters and drivers to individuals affiliated with special forces. It also listed those who had applied for UK protection. As such, alongside names and contact details, many entries included information relating to spouses, children, or other family members, thereby extending the circle of risk to entire households. In some cases, the spreadsheet also contained references to British personnel or military units with whom applicants had worked. As a result, the leak reportedly exposed the identities of over one hundred British nationals, including special forces personnel and intelligence officers listed as contacts or referees (Grierson, 2025).
Although the number of British names exposed was small relative to the total dataset, it illustrated the breadth and sensitivity of the information mishandled. For Afghan applicants, however, the consequences were potentially far more severe. A parliamentary report later concluded that the breach “put many thousands of Afghans at risk of reprisal from the Taliban” (CPA, 2025, p. 5).
If immediate family members of the approximately 18,700 applicants are taken into account, the number of individuals inadvertently placed at risk by the leak likely exceeded 50,000, and may have approached 100,000 when extended family networks are considered (The Independent, 2025).
The core operational failure underlying the breach was the MoD’s continued reliance on makeshift tools to manage ARAP data. Despite handling information with life-and-death implications, the ARAP team used Microsoft Excel spreadsheets stored on SharePoint as its primary case management system (CPA, 2025, para. 2). This arrangement was fundamentally ill-suited to the task. SharePoint access controls were evidently insufficient to prevent unauthorised viewing or onward sharing, while Excel lacks a comprehensive audit trail capable of tracking copying or dissemination in real time. With thousands of entries and multiple users accessing the same file, the risk of inadvertent mass disclosure was exceptionally high.
The Committee of Public Accounts later described this approach as “inappropriate” for such sensitive work, stressing that more secure systems should have been in place from the outset (CPA, 2025, para. 2). It also emerged that at least three smaller data breaches had already occurred within the ARAP programme in late 2021 (CPA, 2025, p. 5). These earlier incidents (including the September 2021 group email error) should have prompted a rapid transition to a secure casework database. Instead, only limited remedial measures were taken, and the February 2022 breach represented the catastrophic culmination of earlier warnings that went unheeded.
By the time the breach was discovered, the spreadsheet may already have been circulating for many months. The Taliban are known to exploit intelligence opportunistically, and Afghanistan was rife with rumours that lists of collaborators were in hostile hands. Media reporting later indicated that Taliban-linked individuals posted portions of the stolen data on Facebook in mid-2023, possibly to intimidate those named or provoke further disclosures (Walker, 2025). Internally, the MoD assessed that “the Taliban likely already possess the key information in the dataset” (Leigh Day, 2025).
The implication was damning: from the moment the breach occurred, every Afghan who had applied to ARAP may have been exposed to heightened risk. Even those who had managed to leave Afghanistan faced the possibility that family members remaining behind were now vulnerable. In this sense, a humanitarian relocation programme had been transformed into a source of exploitable intelligence for the Taliban as a result of a preventable failure in data handling.
In summary, the breach arose from a convergence of extreme operational stakes and inadequate safeguards. Through a basic spreadsheet error, the MoD disclosed information that placed tens of thousands of individuals at potential risk. Had a secure case management system with robust access controls and data minimisation been in place, the breach might have been avoided. Instead, human error intersected with systemic weaknesses to produce one of the most serious data failures in the Ministry’s history, with consequences that would soon unfold in tragic ways.
Institutional Responses and Failures
When the MoD fully recognised the gravity of the situation in August 2023, it faced a severe dilemma. Thousands of Afghan allies were potentially at risk as a result of a British error, yet public disclosure of the breach risked drawing further attention to compromised data and could have complicated ongoing rescue efforts. The Ministry’s response was rapid but deeply flawed, prioritising secrecy over transparency. On 25 August 2023, within days of discovering the breach, MoD officials moved to restrict the flow of information. They contacted Facebook to request the removal of posts containing leaked data (NAO, 2025, para. 11). At the same time, they initiated an internal investigation and notified the Metropolitan Police and the Information Commissioner’s Office (ICO) (NAO, 2025, paras. 10–11). The police concluded that there was no criminal offence requiring investigation, as the incident stemmed from internal error rather than external intrusion.
The ICO, as the UK’s data protection regulator, would ordinarily have been expected to conduct an independent investigation. In this case, however, the MoD’s insistence on maintaining secrecy significantly constrained the regulator’s role. Much of the relevant material was classified as “Secret” or “Top Secret” and subsequently covered by a super-injunction granted shortly thereafter. As a result, the ICO stated that it “was not in a position to conduct its own independent investigation” (NAO, 2025, para. 11). Instead, it adopted a limited advisory role, overseeing and suggesting lines of inquiry to the MoD’s internal investigators. This represented a clear departure from standard accountability mechanisms. The ICO later publicly defended its constrained approach, citing the exceptional legal and security restrictions imposed on the case (NAO, 2025, para. 11).
The most consequential institutional decision was the MoD’s request for a super-injunction. On 1 September 2023, the High Court granted the order, prohibiting any publication or media reference to the breach, or even to the existence of the injunction itself (CPA, 2025, para. 17; MoD, 2025). Such injunctions are rare and typically reserved for cases involving acute national security concerns or extreme risks to personal safety. The MoD justified the measure on national security grounds, arguing that public acknowledgement of the breach could further endanger those named by confirming to the Taliban that the UK government was aware of the leak. Critics later challenged this rationale, noting that the personal details had already entered the public domain as a result of the breach and that Taliban actors were likely to have obtained the data rapidly (The Independent, 2025). Nonetheless, the injunction effectively removed the incident from public scrutiny. Knowledge of the breach was tightly compartmentalised within government, ministers treated the matter as highly classified, and Parliament was not informed.
This enforced secrecy had immediate institutional consequences. Established channels of oversight were bypassed. The Committee of Public Accounts (CPA), which would ordinarily be alerted to incidents involving substantial public expenditure and liability, received no information. The National Audit Office (NAO), responsible for auditing government accounts, was similarly excluded. During scrutiny of the MoD’s 2023–24 annual accounts, officials provided only a vague indication to a senior NAO official that a “secret matter” involving a data breach existed, without further detail, and the issue was omitted from the published accounts (The Register, 2025). Senior NAO leadership, including the Comptroller and Auditor General (C&AG), remained unaware of the nature and scale of the breach until July 2025 (MoD, 2025; CPA, 2025). Consequently, for almost two fiscal years, the MoD’s handling of the breach—including the associated costs—fell outside normal mechanisms of democratic and financial accountability. The MoD Permanent Secretary later described this situation as “deeply uncomfortable” (MoD, 2025), reflecting the unease created by prolonged exclusion of parliamentary oversight.
Behind the scenes, the government sought to mitigate the damage. A dedicated relocation effort, the Afghanistan Response Route (ARR), was established to extract individuals assessed to be at heightened risk as a result of the breach. Launched in April 2024, once legal and operational preparations were in place, ARR operated alongside existing Afghan resettlement schemes (Leigh Day, 2025; CPA, 2025). Eligibility extended beyond those previously accepted under ARAP, including some family members and individuals whose applications had been refused but whose identities had nonetheless been exposed. ARR necessarily operated in secrecy. Evacuations were conducted discreetly, and in some cases local authorities in the UK were not informed of the specific rationale for arrivals. By mid-2025, approximately 7,000 individuals had been identified for relocation under ARR, with more than 3,000 reportedly evacuated (CPA, 2025; The Register, 2025). While these operations undoubtedly saved lives, they were implemented on an ad hoc basis and placed considerable strain on resources. To avoid drawing attention to the programme, the MoD chose not to establish dedicated budget lines for ARR expenditure (CPA, 2025). Instead, costs were absorbed into broader resettlement spending or not fully itemised, a decision that later necessitated a substantial retrospective financial adjustment.
The institutional response also included reforms to data handling practices, though these were delayed. Following the breach, the MoD approved the development of a secure, purpose-built case management system, recognising that reliance on Excel and SharePoint was no longer tenable (The Register, 2025). By late 2025, the Ministry stated that the new system was operational, offering improved access controls and audit functionality (The Register, 2025). However, this reform came only after numerous data incidents had already occurred. The CPA noted that the MoD was aware of serious risks to data security after three separate ARAP-related breaches in autumn 2021 and had implemented some limited fixes, yet “continued to experience data breaches”, culminating in the 2022 incident (CPA, 2025, p. 5). The failure was therefore not solely technical but institutional and cultural. An ICO review observed that, although data protection processes formally existed, ARAP staff were “working at pace” under acute pressure and were sharing data externally without appropriate systems, driven by the perceived urgency of a “clear threat to life” emergency (NAO, 2025, para. 12). In practice, data security was treated as secondary to operational urgency. Ironically, this prioritisation undermined the very objective of the scheme by exposing those it was designed to protect to greater danger.
In sum, the MoD’s response to the breach combined urgent remedial action with significant institutional misjudgement. While efforts to relocate those at risk were critical, the decision to prioritise secrecy over transparency weakened accountability and trust. Oversight bodies were sidelined, warnings were insufficiently acted upon, and reforms were implemented only after severe harm had already occurred. As the CPA concluded, the episode represented “a grave risk to thousands of lives and a cost to the taxpayer in the hundreds of millions, at least”, while the Committee “[lacked] confidence in the MoD’s current ability to prevent such an incident happening again” (CPA, 2025). This assessment underscores that the failures were not confined to a single error or individual, but reflected deeper, systemic weaknesses requiring sustained reform.
Legal and Political Fallout
The legal and political consequences of the 2022 Afghan data breach have been far-reaching, drawing the Ministry of Defence and the wider government into sustained controversy. Legally, the imposition of a super-injunction in September 2023 represented an exceptional restriction on transparency. For nearly two years, the order prevented public reporting on the breach, raising significant concerns about state secrecy and democratic accountability. Politically, when the existence of the breach became public in mid-2025, it triggered intense criticism and debate, including rare public disagreement between current and former government officials over the propriety of the secrecy surrounding the incident.
One immediate legal consequence concerned the MoD’s financial accounting and oversight. Expenditure associated with the emergency Afghanistan Response Route (ARR) relocations escalated rapidly from late 2023, encompassing transport, accommodation, legal costs, and security measures. Ordinarily, such significant spending would be disclosed to Parliament and subject to scrutiny. However, the super-injunction prevented the MoD from explaining the purpose of this expenditure publicly. To avoid breaching the court order, the Ministry chose not to separately itemise ARR costs or establish a transparent audit trail in its 2023–24 accounts (CPA, 2025). This approach proved unsustainable. Once the injunction was lifted, the MoD was required to implement a prior-period adjustment of £2.565 billion to retroactively recognise costs linked to Afghan relocations and associated legal liabilities (C&AG, 2025; CPA, 2025). This adjustment led the Comptroller and Auditor General to issue a qualified audit opinion on the MoD’s 2024–25 accounts (C&AG, 2025). A qualified opinion for a major government department is a serious indicator of non-compliance with standard financial controls. In this case, the qualification stemmed from what the C&AG described as “breaches of expenditure controls” (C&AG, 2025), reflecting spending undertaken without normal approvals or transparency. While the MoD argued that standard procedures could not be followed without violating the injunction, the Committee of Public Accounts (CPA) later criticised the situation sharply, highlighting the strain placed on the National Audit Office and the effective circumvention of parliamentary oversight over a multi-billion-pound issue (CPA, 2025).
A further legal dimension concerned regulatory enforcement. Although the Information Commissioner’s Office (ICO) was notified of the breach in 2023, its ability to respond was constrained by the secrecy surrounding the case. Ultimately, the ICO decided not to impose a fine or formal enforcement notice in relation to the 2022 breach (NAO, 2025, para. 13). This contrasted with its response to the earlier 2021 ARAP-related breach, for which the MoD was fined £350,000 (NAO, 2025, para. 13). The ICO explained that by the time it was able to engage fully—following the lifting of the injunction in July 2025—the MoD had already implemented remedial measures and was cooperating with ongoing oversight, reducing the perceived value of punitive sanctions. Nevertheless, some privacy advocates questioned this decision, arguing that the scale of harm warranted a clearer enforcement response. The ICO defended its position by citing the exceptional circumstances of a life-critical evacuation and the continued classification of much of the relevant evidence (ICO, 2025[NS1] ). The absence of a fully independent regulatory investigation has left aspects of the breach unresolved in the public domain, including the extent of individual accountability within the MoD. No criminal proceedings or disciplinary dismissals have been publicly reported, and accountability may instead be pursued through civil litigation. Several affected Afghans, supported by human rights law firms, are exploring legal action against the MoD for negligence and resulting harm (Leigh Day, 2025).
The political fallout intensified after the super-injunction was lifted on 15 July 2025, following a High Court ruling that continued secrecy was no longer justified (Leigh Day, 2025). This disclosure coincided with the installation of a new government following a general election. Prime Minister Keir Starmer publicly criticised the previous Conservative administration, stating that former ministers had “serious questions to answer” regarding both the handling of the breach and the prolonged secrecy surrounding the relocation programme (Walker, 2025). Such direct criticism by a sitting Prime Minister of predecessors on a national-security-related issue was unusual and reflected broader concerns that the prior response prioritised reputational management over transparency.
Senior figures from the previous government rejected this characterisation. Grant Shapps, who served briefly as Defence Secretary in 2023, defended the decision to maintain the injunction, arguing that secrecy was intended to protect lives and enable discreet evacuations without provoking reprisals (Grierson, 2025). Critics challenged this justification, noting that Taliban actors were unlikely to require public confirmation to exploit leaked data and that delayed notification may have left many affected Afghans exposed to prolonged risk (The Independent, 2025). Parliamentary scrutiny reflected this scepticism. The House of Commons Defence Select Committee opened an inquiry into the Afghan data breach and resettlement schemes in late 2025, soliciting evidence from government officials, experts, and civil society organisations. Submissions to the inquiry, including those from Refugee Legal Support, documented severe human impacts and alleged governance failures, intensifying pressure on ministers to account for their decisions (RLS, 2025b).
Separately, the Committee of Public Accounts published a highly critical report, the Fifty-Fourth Report of Session 2024–26, which characterised the MoD’s handling of the breach as a “catalogue of mistakes” (CPA, 2025). The Committee criticised the Ministry for failing to act on prior warnings and for creating what it described as a “deeply uncomfortable” democratic deficit by withholding information from Parliament and the NAO (CPA, 2025, paras. 17–18). Summarising the findings, the Committee’s Chair stated that these risks “ultimately resulted in the 2022 breach, presenting a grave risk to thousands of lives and a cost to the taxpayer”, while expressing a lack of confidence in the MoD’s ability to prevent a recurrence (CPA, 2025). The CPA recommended urgent confirmation that secure case management systems were in place and the establishment of clear protocols for notifying oversight bodies even where confidentiality is required.
The controversy also intersected with wider political debates on immigration and asylum. Media reporting that thousands of Afghans had been relocated to the UK in secret, at a cost exceeding £850 million, prompted divergent responses across the political spectrum (Guardian/Reuters, 2025[NS2] ). Refugee advocates argued that the episode demonstrated the state’s capacity to resettle large numbers rapidly when political will exists, and that such action should be transparent and accompanied by adequate support and compensation. Others raised concerns about integration and security, despite the absence of evidence that those relocated under ARR posed any security risk. These debates fed into broader tensions within UK politics between commitments to international obligations and domestic migration narratives. While the current government has adopted a more openly sympathetic tone, it has also proceeded cautiously, reflecting the continued sensitivity of asylum policy.
In conclusion, the legal and political fallout from the Afghan data breach remains ongoing but has already been substantial. Legally, it tested the boundaries of official secrecy and accountability in cases of large-scale data failure. Politically, it has become both a site of partisan contestation and a broader lesson in the costs of governance failures. The episode illustrates how attempts to contain reputational damage through secrecy can ultimately intensify scrutiny, erode public trust, and generate lasting institutional consequences.
Human Impact
Beyond the institutional and political consequences lies the most tragic aspect of the breach: the human cost. For Afghan individuals and families whose personal details were exposed, the consequences have been profound. These people were already among the most vulnerable: by applying to the ARAP scheme, they had effectively signalled that they were at risk of Taliban retaliation. The data leak heightened that danger. It is difficult to overstate the fear and distress that spread through this community of “affected Afghans” once the breach became known to them, which occurred long after it became known to those who might seek to exploit the information.
In July 2025, when the MoD began notifying those on the list about the breach, nearly two and a half years after the incident, the news confirmed what many suspected based on the threats they had been experiencing. A survey conducted by Refugee Legal Support (RLS) in late 2025 of Afghans who received the MoD’s notification sets out the scale of reported harm (RLS, 2025b). According to the survey, 87% of respondents said they had experienced personal threats or risks to family members since the breach (RLS, 2025b). These threats included specific death threats, reports of Taliban members appearing at homes, and messages referencing respondents’ work with foreign forces. The survey also recorded reported violence: 43% stated they had received a direct threat against their own life, and 52% reported that relatives or friends in Afghanistan had been explicitly threatened by Taliban elements (RLS, 2025b).
A significant number of respondents also reported fatal outcomes. Among those surveyed, at least 49 individuals stated that a colleague or family member had been killed in circumstances they linked to the data breach (RLS, 2025b; Walker, 2025). Some accounts describe incidents in which Taliban operatives allegedly used names and associations from the spreadsheet to identify and target individuals. For example, one respondent reported that a family member was killed in retaliation for the respondent’s past work with UK forces, while another reported the killing of a former colleague after being identified through leaked information (RLS, 2025b). Such reports remain difficult to independently verify, but they are consistent with documented Taliban patterns of retribution against perceived collaborators. As one Afghan veteran observed, “Afghans who served alongside UK forces have faced renewed threats, violent assaults, and even the killing of family members after their personal details were exposed” (Clark, quoted in Walker, 2025). For many affected families, the consequences have been both immediate and severe.
Even where respondents had not experienced physical harm, the psychological and social toll reported was substantial. The RLS survey found that 89% of notified individuals reported negative impacts on their physical or mental health, and an equal proportion said their family’s wellbeing had been adversely affected (RLS, 2025b). Reported impacts included chronic anxiety, depression, and acute stress. One former member of the Afghan National Security Forces described living in constant fear: “My family and I continue to face intimidation, repeated house searches, and ongoing danger to our safety” (RLS, 2025b, Respondent 117). Another respondent, an Afghan National Army veteran still in Afghanistan, stated: “A couple of weeks after [the data leak] was made known, I was recognised by the Taliban and badly beaten up” (RLS, 2025b, Respondent 43). In another testimony, a respondent described the torture of a family member by Taliban fighters who accused the family of being traitors and referenced the son’s work with foreign forces (RLS, 2025b, Respondent 171). For those who managed to leave Afghanistan and are awaiting resettlement in third countries, or those now in the UK, survivor’s guilt and fear for relatives left behind compound the trauma. A former interpreter now in Britain reported: “Following the leak, the Taliban searched my family home and continue to threaten my relatives… They question my family about me every day” (RLS, 2025b, Respondent 88).
The breach also damaged trust in the UK’s commitments. For those affected, the realisation that their application for protection may itself have increased their exposure to harm was deeply destabilising. One Afghan affected stated: “The delay between the discovery of the data breach in 2023 and [our] communication in July 2025 is deeply concerning and unacceptable. Waiting almost two years to inform us that our personal data was compromised has put many lives at risk unnecessarily” (former ANA officer, quoted in Walker, 2025). The delayed notification meant that many were denied the opportunity to take risk-mitigation measures, such as changing location or contact details, at an earlier stage. Several respondents reported feeling “abandoned” or “sacrificed” by the delay (RLS, 2025b). Even after notification, many viewed the support offered as limited. RLS reported that the MoD’s primary means of notification was an email or letter referring to a “data incident” and providing security advice (RLS, 2025b). Only 38% of affected Afghans reported that the MoD’s security advice was helpful (RLS, 2025b). Respondents described the guidance as overly general, and therefore inadequate to their circumstances. As one respondent noted, “When our personal info is already accessible to the Taliban, advice about using a VPN or not oversharing online does little. The risks remain regardless” (RLS, 2025b).
For those evacuated to the UK under ARR or other schemes, new challenges have emerged. Resettlement has not always been smooth. Some evacuees reported prolonged stays in temporary accommodation and delays in processing immigration status. “The agency that helped us resettle treated us awfully,” stated one interpreter now in the UK (RLS, 2025b, Respondent 249). Another recurring theme is family reunification. Many of those relocated were separated from extended family members who remain at risk. Under standard eligibility rules, not all relatives qualify for relocation, but affected individuals have argued that the breach significantly elevates risk for family members named or identifiable through the leaked data. At the time of writing, some have been able to sponsor additional relatives, while others remain in prolonged uncertainty. The psychological burden of separation, combined with earlier trauma, has led some mental health professionals to warn of a serious support requirement for this cohort. Afghan refugees already carry trauma from war and displacement; the breach added a further layer of distress associated with perceived institutional failure by the state they trusted (British Psychological Society briefing, 2025[NS3] ).
Amid these outcomes, Afghan communities and supporting organisations have also mobilised to provide mutual support. Groups in the UK have formed networks to assist new arrivals in navigating resettlement, while refugee organisations and legal charities have advocated for expedited processing and additional support, including through preparations for group litigation. Their central argument is that individuals were exposed to danger through no fault of their own as a result of a UK government failure and therefore require timely protection and redress. Some affected individuals have spoken anonymously to the media, describing their experiences and shaping wider public understanding of the issue. As one account described, an Afghan special forces veteran living precariously in Iran reported severe anxiety after being denied ARAP and later being informed that his risk level had increased due to the breach (RLS, 2025b). Such testimonies have contributed to public recognition that those affected are individuals who worked alongside the UK and are now bearing the consequences of institutional failure.
In closing, the human impact of the MoD data breach remains an ongoing tragedy. Lives have been lost, disrupted, and placed under severe strain. A community that supported the UK in conflict has borne a heavy cost through no fault of its own. While the UK’s subsequent actions, including evacuations and a formal apology, have provided some protection, they occurred only after prolonged delay. For many affected Afghans, the psychological and practical consequences will endure for years. As one Afghan now in Britain remarked: “We might be in a safe place now, but the nightmares are still with us, of what happened to us, and what might still happen to those we love back home.”
Public Trust and Strategic Consequences
The fallout from the Afghan data breach has not been confined to those directly affected; it has also reverberated through the broader realms of public trust and the UK’s strategic credibility. At its heart, this incident strikes at a fundamental expectation: that the British government will protect those who risk their lives to aid its missions. The breach – and the subsequent secrecy – delivered a double blow to that expectation, raising doubts about the UK’s reliability as an ally and about the government’s commitment to transparency and accountability at home.
Public Trust in Government
Within the UK, revelations of the MoD’s mishandling of the breach and the prolonged secrecy that followed have dented public confidence in the Ministry and in government more generally. The Ministry of Defence is typically regarded as a high-trust institution, closely associated with national security and the armed forces. Learning that the MoD could lose sensitive personal data on such a scale, and then conceal the incident, caused concern even among supporters of the defence establishment. Editorials in major British newspapers, from The Times to The Guardian, criticised the MoD’s competence and candour. Many members of the public were unaware that a super-injunction had prevented reporting and parliamentary discussion until after it was lifted. Its existence prompted warnings that Britain was “entering a dangerous era” in which national security is invoked to obscure major failures and stifle democratic debate (Burges, 2025).
While national security can legitimately require secrecy, critics argued that this case did not meet that threshold, since the most sensitive information—the identities of Afghan collaborators—had already been exposed by the breach itself. Instead, the injunction’s principal effect was perceived as shielding officials and ministers from immediate scrutiny. Such perceptions reinforced a narrative of a government more focused on avoiding accountability than addressing institutional failure. In a context of already fragile trust in public institutions, the episode provided further ammunition for critics who argue that the British state has become overly secretive and prone to cover-ups. These concerns were compounded when financial irregularities became public, including the disclosure that £2.6 billion had been spent without transparent accounting. This raised fears that the government had been “playing fast and loose” with taxpayer funds under the cloak of secrecy. Even citizens with limited interest in foreign policy expressed alarm at the scale of unaccounted expenditure and at an NAO audit opinion that effectively stated, “we can’t be sure where the money went.” Polling data in late 2025 reflected a modest decline in confidence in the MoD’s administrative competence and a sharper fall in approval of how the government handled Afghan refugees (YouGov, 2025). While public trust can recover, such episodes tend to leave a lasting residue of doubt.
Credibility with Allies and Local Partners
Internationally, the breach has raised uncomfortable questions about the UK’s reputation. Britain has long emphasised principles such as loyalty to those who serve alongside it and respect for the rule of law. The Afghan data breach undermined those claims. Allies including the United States, Canada, and European NATO members all faced comparable challenges during the Afghan evacuation and operated their own resettlement schemes. Background reporting by BBC correspondents in Washington and Brussels suggested that some defence officials expressed concern about the UK’s handling of sensitive partner data.
While allied governments have refrained from public criticism, there has been private concern that the breach’s implications could extend beyond the UK. Where Afghan partners worked with multiple international forces, compromised UK data could expose individuals linked to other states. Strategically, the episode has been cited as a cautionary example of inadequate data governance in multinational operations. NATO and other defence forums have reportedly discussed establishing minimum data protection standards for future evacuations and programmes involving vulnerable partners. The broader lesson is that humanitarian and stabilisation operations require information security standards comparable to those applied in military contexts.
The incident has also fed into what some commentators describe as the “perfidious Albion” narrative, a long-standing trope portraying Britain as unreliable in its commitments. The Independent (2025) explicitly drew a line from historical betrayals to this modern case, arguing that the failure to protect Afghan allies, followed by secrecy, would reinforce distrust in Britain’s word. In future operational theatres, adversaries may use the breach as propaganda: “Look what befell those who trusted the British – they were left for dead.” Taliban messaging in 2025 framed the breach as proof of Western perfidy, with spokesmen claiming that “Allah has exposed the helpers of the infidels” and portraying the UK’s secret evacuations as evidence of panic. While local allies often continue to cooperate despite such risks, each episode of this kind makes recruitment and trust-building more difficult. Strategically, the credibility of assurances given to local staff matters not only morally but operationally; without trusted local networks, missions become far less effective.
Moral Authority and Soft Power
The UK has long sought to project influence through its values and humanitarian commitments. The chaotic withdrawal from Afghanistan in 2021 had already damaged this image, and schemes such as ARAP were intended to preserve some moral authority by protecting those who had assisted UK forces. The data breach, and the secrecy that followed, further tarnished that effort. International human rights organisations criticised the UK’s actions. Amnesty International stated that the breach “shamefully imperilled the very people the UK promised to protect” and called for an independent inquiry and reparations. The UN High Commissioner for Refugees more cautiously noted that “lessons must be learned” to ensure the safety of refugees and those at risk. Together, these responses weakened the UK’s standing as a leader in refugee protection. Adversarial states also seized on the incident. Russian and Chinese state media highlighted the breach as evidence of Western incompetence and duplicity, reinforcing a narrative that the withdrawal from Afghanistan was not only chaotic but callous. While such coverage is politically motivated, it nonetheless contributes to the erosion of UK soft power.
Domestic Morale within Institutions
A further strategic consequence has been felt within the UK’s own institutions. Many service personnel who served in Afghanistan formed close bonds with local interpreters and partners, and for them ARAP represented a moral obligation to former comrades. Awareness that a bureaucratic failure undermined that commitment has been demoralising. Former military personnel have voiced anger in the press and in parliamentary evidence, recalling friends who went into hiding or suffered harm during prolonged delays. Such disillusionment risks corroding confidence in leadership. Within the civil service, the episode has prompted reflection on risk management and escalation practices, including whether warning signs were missed or constrained by compartmentalisation. Strategically, institutions that confront failures openly can adapt and strengthen; those that do not risk repetition. Ensuring that lessons are fully internalised through training, procedural reform, and accountability is essential for restoring confidence among staff and the public.
In summary, the strategic and trust-related consequences of the Afghan data breach extend far beyond the immediate incident. It has unsettled allies, weakened public confidence, and potentially complicated future operations. The UK’s credibility as a reliable partner and a state committed to openness has been undermined. Rebuilding that credibility will require sustained and demonstrable reform. As one assessment concluded, “When Britain’s allies put their lives on the line, we abandoned them – and covered it all up” (The Independent, 2025). Addressing that critique directly is essential if the UK is to move forward with its moral authority intact.
Recommendations
Addressing the fallout of the 2022 MoD data breach and preventing similar failures in the future will require a comprehensive set of actions. These recommendations focus on restoring trust, providing redress to those harmed, and reforming the systems and institutional culture that allowed the breach and its flawed handling to occur. They draw on parliamentary findings, expert assessments, and the testimony of affected individuals. The following measures are proposed:
1. Overhaul Data Management and Security Protocols
The Ministry of Defence must fully transition all sensitive casework, including refugee and local staff programmes, to secure, purpose-built information systems. Reliance on ad hoc tools such as spreadsheets is no longer acceptable. A modern case-management platform with strict role-based access controls, encryption, and comprehensive audit logging should be fully operational (CPA, 2025). All staff handling personal data should receive enhanced training in data protection and cyber-hygiene. Regular audits and stress-testing of systems should be conducted to ensure resilience. Crucially, departmental culture must treat data security as integral to mission success rather than a secondary administrative concern. Senior leadership should be accountable for maintaining these standards, including through performance assessments or budgetary oversight linked to information-assurance compliance.
2. Establish Clear Accountability and Transparency Mechanisms
In the event of future data breaches or comparable incidents, departments should not unilaterally decide to withhold information from oversight bodies. Clear protocols should be developed, potentially under Cabinet Office guidance, for briefing the National Audit Office, relevant Select Committee chairs, and ministers in confidence where national security sensitivities apply. Consideration could also be given to appointing an independent reviewer to oversee the handling of such incidents. The objective is to preserve democratic scrutiny even where public disclosure must be temporarily limited. Where extraordinary legal measures such as super-injunctions are sought, they should be subject to regular judicial review rather than open-ended secrecy. Parliament may wish to consider legislative safeguards, including sunset clauses or mandatory oversight provisions, for injunctions involving public authorities. Overall, a presumption in favour of transparency should apply unless a clearly substantiated case is made otherwise (CPA, 2025).
3. Provide Full Redress and Support for Affected Individuals
The government has a clear moral obligation to those placed at risk by this breach. Expedited relocation should be offered to all remaining Afghan applicants and immediate family members whose data was compromised and who wish to come to the UK, with clear timelines for resolving the current backlog (RLS, 2025b). Cases previously refused under ARAP or ACRS but involving individuals named in the leaked dataset should be proactively reopened and reassessed in light of the heightened risk (RLS, 2025b). For those already in the UK or awaiting relocation in third countries, comprehensive support packages are required. These should include tailored security assistance, access to mental health services, and practical integration support such as language training and employment assistance. A dedicated communication channel should be established to allow affected Afghans to report threats and seek timely help, potentially in partnership with international organisations such as UNHCR for those outside the UK (RLS, 2025b).
4. Implement a Fair Compensation Scheme
Many affected individuals have experienced serious material and psychological harm, including prolonged hiding, loss of income or property, and the death of family members. The government should establish a compensation scheme to provide financial redress without requiring prolonged litigation. Such a scheme would acknowledge responsibility and may reduce the need for costly and protracted legal action. It should be administered with input from an independent panel to assess claims fairly and consistently. While financial compensation cannot undo the harm suffered, targeted support, such as assistance for resettled families, educational support for children, or stipends for those unable to work, would represent tangible accountability. Existing precedents for compensation following state failures may inform the design of this mechanism.
5. Strengthen Interdepartmental Coordination and Planning
A contributing factor to the failure was the concentration of responsibility for Afghan resettlement within the MoD, an institution not structured for long-term refugee management. Future operations combining defence and humanitarian objectives should be managed through joint task forces involving the Home Office, the Foreign Office, and other relevant departments from the outset. This may have mitigated reliance on MoD-specific systems rather than established asylum-case infrastructure. Regular scenario planning for high-risk contingencies, including data breaches, should be conducted with input from security, legal, and communications specialists to avoid improvised responses under crisis conditions. Building institutional resilience requires planning for failure as well as success.
6. Reaffirm Ethical Commitments and Communicate Lessons Learned
Restoring credibility will require public acknowledgment as well as internal reform. The government should formally recognise the harm caused by the breach, ideally through a parliamentary statement, and reaffirm its commitment to safeguarding those who support UK operations. The Defence Secretary’s apology in 2025 was an important step, but it should be followed by regular updates to Parliament on the implementation of reforms. Publishing a suitably redacted summary of the MoD’s internal investigation, once security considerations permit, would further support transparency. Internationally, the UK should share lessons learned with allies to strengthen collective practice, as is already occurring in NATO discussions. In future engagements involving local partners, the UK must demonstrate, not merely assert, that systems and processes have been reformed. The narrative must move from “Britain betrayed its allies” to “Britain learned from a grave mistake and is determined to never repeat it.”
Implementing these recommendations will require financial resources, administrative effort, and political resolve. However, the costs of inaction or partial reform would be greater. Restoring trust, both among those directly affected and within the wider public, is essential.
The 2022 Afghan data breach exposed serious institutional weaknesses; the responsibility now is to ensure it becomes a catalyst for durable reform, so that those harmed did not suffer in vain and future partners can have confidence in the integrity and responsibility of British institutions.
