The UK’s MoD just disclosed a huge 2022 data breach that forced them to secretly relocate 4,500 Afghan people who worked with the UK against the Taliban.
On July 15, 2025, the UK government revealed that a major data breach in early 2022 required them to discreetly relocate 4,500 Afghans to the UK, starting in April 2024. The breach, called one of the country’s “worst ever”, consisted of a spreadsheet holding critical information like contact details, names, and even family ties on about 18,714 Afghan citizens who had applied to relocate to Britain and many who had cooperated (even fought alongside) with the British government against the Taliban, before the Taliban overtook the region in 2021.
The highly sensitive information was not leaked by a threat actor, but instead by a British official in the Ministry of Defence (MoD) who remains unknown to the public. The breach was not discovered until August 2023, when the information resurfaced on Facebook. John Healey, Secretary of Defence discussed the issue at the House of Commons after the news was released: “This serious data incident should never have happened. It may have occurred three years ago under the previous government, but to all whose data was compromised I offer a sincere apology." In his statement, Healey shed some light on how the incident occurred, sharing that the spreadsheet was emailed “outside of authorised government systems,” something he called a “serious departmental error”, even as the Metropolitan Police decided against a police investigation.
Healey also explained that the official at fault was “no longer doing the same job,” while denying that he was “going to lead some witch hunt after a defence official - this is much bigger than the mistake of an individual." Underscoring the fact that the issue is “bigger” than one person’s mistake, Kemi Badenock, Conservative leader, also apologized on behalf of her party, which comprised the government at the time of the breach: "Somebody made a terrible mistake and names were put out there... and we are sorry for that. That should not happen."
This breach has been criticized on several levels; for the wide, critical impact dealt to the Afghan people who already endangered themselves to help the UK government, for costing taxpayers anywhere from £2 billion (about 2.7 billion USD) to £7 billion (nearly 9.4 billion USD), and for probably triggering an expensive lawsuit from at least some of the thousands of Afghans who likely suffered anxiety and distress because of the leak. All these effects came at the hands of just one official who made a preventable mistake, and the lengths the government went to “cover up” the error has also drawn some ire.
According to the BBC’s timeline of this breach, after the previous government discovered the breach on Facebook, their MoD requested an injunction from the court that would prevent the leak from reaching the public. The court responded by issuing a super-injunction in September 2023, blocking even the news of the injunction from being circulated, due to concerns that up to 100,000 people could have been harmed if the Taliban learned of the document. This injunction was extended two months later for the same concerns, while the judge did remark that the ruling created a “scrutiny vacuum”.
In February 2024, the injunction was extended again, in support of a plan to secretly relocate the thousands of Afghans who were in danger because of the exposure. By May 2024, a judge ruled for the first time that the injunction should be lifted, citing cost concerns. The MoD appealed, successfully gaining another extension. It was not until July 15, 2025 that the details of this breach were made public through a court ruling and that people whose information was compromised were informed, three years after the fact.
Notably, this is not the first time that Afghan people who worked with the UK government have been victims of a data breach. In September 2021, an email sent to Afghan nationals who were eligible for relocation due to their cooperation with the the UK did not hide the email addresses of the recipients (as done through the blind carbon copy (Bcc) section), instead listing the addresses in the ‘To’ section, allowing all recipients to know who else was eligible for relocation - therefore implicating them as people who worked against the Taliban. The breach affected 277 people. John Edwards, the information commissioner investigating the incident said the mistake “let down those to whom our country owes so much”.
As the story of the data breach continues to be unraveled, the fallout becomes clearer and clearer. Two days after the leak first made headlines, reports that the compromised spreadsheet also included specialized British officials, including spies, were published. While the MoD has maintained that they originally overestimated how many were at “risk of death or serious harm” because they were on the list, they still have told those who were exposed to “exercise caution” and be diligent online.
Still, many Afghan people who worked with the UK worry about their safety, and the safety of family members who are still in the region. In a review, the MoD claimed it was “highly unlikely” that someone may have been targeted because of the leak, but some with ties to the country have reported that the Taliban was more persistent about finding their relatives around the time that the list was compromised.
Understandably, the data breach has sparked calls for deeper investigation from officials like the UK’s Prime Minister, Sir Keir Starmer. In the Commons, Starmer said: “There's always been support across this House for the United Kingdom fulfilling our obligations to Afghans who served alongside British forces… Ministers who served under the party opposite have serious questions to answer about how this was ever allowed to happen." The Defence Committee plans to launch an inquiry “to ensure that lessons are learned”, and Liberal Democrats have asked for a public inquiry into the size of the breach and the cover up.
It’s still not clear what the victims of the data breach can expect, however. While those affected in the smaller 2021 data breach received up to £4,000 in compensation, the government says it may challenge new compensation claims, believing the relocation offers (made before the breach was disclosed) to be enough of a reparation. Hopefully, the effort “to drive improvement in the Department’s data handling training and practices” that was started in the MoD after the 2021 breach will find a second wind in the aftermath of this critical leak, a sure sign that email security is an overlooked area in MoD communications.