Catastrophic MoD Data Breach put thousands of Afghans lives in danger

In one of the most serious data breaches in recent UK history, a catastrophic error by the Ministry of Defence (MoD) exposed the personal details of thousands of Afghan nationals who had worked with British forces. The breach not only endangered lives but also triggered a secretive, high-cost operation to evacuate those at risk, and raised profound questions about government transparency, accountability, and data security.

It has recently been reported that around 7000 Afghan nationals have been relocated as a result of this breach, which happened three-and-a-half years ago, and has only recently become public knowledge due to successive governments trying to keep a secret through a superinjunction.

Union Jack flag on the sleeve of British military camouflage uniform shirt sleeve

What happened: How did the data breach occur?

In February 2022, a senior MoD official mistakenly sent an email containing a hidden spreadsheet with the personal information of over 18,000 Afghan individuals and their families who had applied for relocation to the UK to flee the Taliban. The people on the list had applied for relocation under the UK’s Afghan Relocations and Assistance Policy (ARAP).

Believing they were sharing a list of around 150 people for internal vetting, the official unknowingly attached a full database containing 33,000 rows of sensitive information. This included names, phone numbers, application statuses, locations, and links to British operations. The error went unnoticed at the time.

Over a year later, in August 2023, parts of the list surfaced in a Facebook forum. By then, the Taliban had intensified their targeting of known collaborators. Alarmed, the MoD finally recognised the gravity of the leak.

Silhouettes of soldiers on Military Mission at dusk

Who was responsible for the breach?

Responsibility lies with the MoD and was attributed to human error as it was sent by an MoD official mistakenly.

Despite the mistake, the individual was not dismissed but was removed from any involvement with the Afghan relocation programme. The incident has since exposed critical flaws in data handling within sensitive government departments.

Who was affected?

The breach affected at least 18,700 Afghan applicants, many of whom were interpreters, local staff, or others who had risked their lives to assist British forces during the 20-year war in Afghanistan.

Including family members and indirect connections, experts estimate the number of people placed in danger could be as high as 100,000. Tragically, it’s been confirmed that at least 17 Afghans named in the leak have been killed by the Taliban—14 of them after the breach.

How did the Government respond?

The UK government attempted to keep the breach a secret. In September 2023, the MoD obtained a super-injunction—a rare legal order that prevented the press from even reporting the injunction’s existence. This was done to avoid alerting the Taliban that the names had leaked and to protect those still in-country.

In parallel, the government launched Operation Rubic (later called the Afghanistan Response Route)—a covert effort to urgently evacuate those named. Over 16,000 people were extracted under this operation, many of whom would not have qualified under the original ARAP rules. The scheme aimed to relocate up to 23,900 individuals in total.

A map with a close-up focus on Afghanistan

Financial and political fallout

The evacuation and resettlement effort is estimated to have cost between £400 million and £850 million, with longer-term support for resettled families likely to raise the total to £7 billion.

The MoD now faces up to £1 billion in potential legal claims. Around 900 Afghans are reportedly preparing lawsuits, with compensation likely to range from £10,000 to £50,000 per person depending on individual circumstances and trauma endured.

Politically, the affair has ignited fierce debate. The use of a super-injunction to hide a government failure has been widely criticised as a dangerous precedent. Senior MPs have called for a full inquiry, accusing ministers of sidestepping accountability and undermining parliamentary scrutiny.

The impact of data breaches

This breach is an example of the serious repercussions of data breaches and how it can impact those affected. In this instance, the consequences could be life-threatening. This highlights the importance of organisations storing and handling data correctly and safely, particularly those who hold very serious or sensitive information about individuals.

Under General Data Protection Regulations (GDPR) and the Data Protection Act 2018, you have the right to have your personal data kept private and any organisation that shares or stores your data has a legal obligation to ensure it is kept safe, secure and up to date. If your data is breached, you can therefore make a claim against the organisation for compensation.

HNK Solicitors can help with data breach claims

If you have ever been affected by a data breach, HNK Solicitors can help. If you wish to make a civil claim for compensation after suffering a data breach, it is advised you seek the help of a specialist data protection solicitor, like HNK Solicitors. We have a dedicated team of data breach solicitors with many years of experience helping clients to successfully claim compensation after having their data breached.

Get in touch with our team today to learn more about how to make a claim for a data protection breach. We offer free consultations and can even take on clients on a no-win, no-fee basis. Call us on 0151 668 0814 or email the team on enquiries@hnksolicitors.com. Alternatively, fill in our online claim form to get started on your claim today.