Report blasts UK Ministry of Defence over Afghan data-handling failures
(2025/11/14)
- Reference: 1763124010
- News link: https://www.theregister.co.uk/2025/11/14/pac_mod_afghan_report/
- Source link:
The UK Parliament's Public Accounts Committee (PAC) says the Ministry of Defence (MoD) has failed to appropriately improve its data protection mechanisms, three years after the infamous 2022 Afghan data breach.
In a [1]damning report published this morning, the PAC concluded that it was aware of how risky its data-handling procedures related to the Afghan Relocations and Assistance Policy (ARAP) were at the time.
The committee still does not have confidence that the department could prevent a similar breach in the future.
[2]
Sir Geoffrey Clifton-Brown, chair of the PAC, said that in continuing to run "inadequate systems to handle sensitive personal information," the MoD "knew what it was doing," despite the significantly worsened security environment in Afghanistan at the time of the breach.
[3]
[4]
Central to the report, and the disaster in general, was the MoD's "inappropriate" casework system.
At the time, it was relying on Excel spreadsheets stored in SharePoint to handle the trove of sensitive personal data of Afghan citizens who assisted British troops during the conflict.
[5]
The report noted that this contributed to the incident, which leaked thousands of identities linked to Afghans who were due to be resettled for their own protection, and demanded the MoD confirm a new system is in place.
In total, there were 49 separate data breaches that leaked these identities, the report noted.
The first came in 2021, when 245 Afghan interpreters who assisted British forces had their details exposed in a [6]CC-not-BCC email blunder , but the most significant came in [7]February 2022 , when around 19,000 Afghans who applied for the ARAP resettlement scheme were affected.
[8]
This incident also leaked the identities of British spies and other officials, although on a much smaller scale, at a time when the Taliban was actively hunting those who had assisted British troops in Afghanistan.
Research submitted to Parliament last month, informed by surveys completed by affected individuals, revealed the devastating [9]human toll of those at risk of Taliban retaliation .
"Indeed, data breaches occurred in 2021 which were sufficiently serious to have to be reported to the Information Commissioner's Office, giving a warning which MoD should have taken steps to heed," said Sir Clifton-Brown.
"These risks crystallized into dozens of data breaches over years, and ultimately resulted in the 2022 breach, presenting a grave risk to thousands of lives and a cost to the taxpayer running into hundreds of millions of pounds, at least.
"I take no pleasure as chair of this committee in stating now that we lack confidence in the MoD's current ability to prevent such an incident happening again."
The PAC's report further criticized the MoD for not appropriately informing government offices of the breaches, preventing the proper scrutiny that should have followed.
Crucially, the MoD only discovered that a breach had occurred in August 2023, after the list of affected Afghans was leaked online. The UK government secured a superinjunction preventing public reporting of the matter as a result.
The MoD failed to detail the incident in its annual accounts for 2023-2024, and did not brief [10]the National Audit Office (NAO) on the operational consequences or scale of the breach.
The report stated that the MoD briefed the NAO director as its accounts were being audited, but this only mentioned a secret matter that could not be shared, and that it related to a data breach that could not be included in the accounts. The NAO director was also told that they could not pass on any of the information in that briefing to the wider department, preventing it from properly scrutinizing the case.
Sir Clifton-Brown commented: "The frankly chaotic decision to tell a single director within the NAO that there was a secret matter that could not be shared, without informing the leadership of the NAO itself, is emblematic of the quality of the MoD's decision-making.
"The MoD's outgoing Permanent Secretary told our inquiry that this period of secrecy in how taxpayers' money was being spent had been 'deeply uncomfortable' for him.
"That is just as it should be, and we are glad to hear it – but as a consequence of elected representatives being prevented from holding government to account, it is not nearly sufficient, and he should never have been put in such a position by his minister."
[11]Beatings, killings, and lasting fear: The human toll of MoD's Afghan data breach
[12]UK data regulator defends decision not to investigate MoD Afghan data breach
[13]UK government dragged for incomplete security reforms after Afghan leak fallout
[14]Britain's Ministry of Defence fined £350K over Afghan interpreter BCC email blunder
The NAO's primary responsibility is to investigate UK government departments' use of taxpayer money.
ARAP, ARR, and other resettlement schemes
To clarify the different acronyms peppered throughout the PAC's report: ARAP was the resettlement scheme open to Afghans who assisted British forces at the time of the 2022 breach. It was these applicants who comprised the vast majority of those affected, although not all were successful.
The previous Conservative government established the Afghanistan Response Route (ARR) in April 2024, but it was then discontinued in July 2025.
The ARR was one of the many schemes set up by the UK government to relocate high-risk victims of the breach who were previously deemed ineligible for the ARAP or any of the other routes. It was also the only one established as a direct result of the breach.
Others, like ARAP and the Afghan Citizens Resettlement Scheme (ACRS), were in place before the breach became public knowledge.
An estimated 7,355 people were deemed eligible for relocation under the ARR, adding to the 16,108 eligible applicants under ARAP. In total, 27,278 people were considered eligible for relocation across the various routes set up by the UK, although only 3,383 had arrived in the UK by June 2025, according to Home Office figures published in August.
According to the PAC's report, the current costs associated with resettling around 7,000 Afghans under the Afghanistan Response Route are unconfirmed, but estimated to be around £850 million ($1.1 billion).
This excludes legal costs, potential future compensation for victims, and the costs associated with the other relocation schemes.
The MoD should have separated the costs associated with the different schemes, instead of combining them all, which would have given the NAO better information on which to scrutinize its spending.
It said it combined them to avoid breaching the conditions of the 2023 superinjunction, but the PAC's report stated that the MoD should have been able to separate these costs in anticipation of the gag order lifting in July 2025.
Of the MoD's £850 million estimate, the report stated: "The Department has so far been unable to provide sufficient evidence to give the NAO confidence in its estimate. The Department anticipates being able to give the NAO more detailed information on costs as part of its next report on the Afghanistan resettlement schemes overall."
The PAC issued a number of recommendations to the MoD in its report, which include the aforementioned confirmation that a new casework system is in place and that this system would prevent similar incidents from recurring, and that resettlement scheme costs are adequately broken down.
The Register understands that a new, secure casework system is indeed now operational, and the decision to implement one was made prior to the breach being detected.
In the near term, the department was asked to provide additional details to the PAC regarding its data protection policies, and come to an agreement on how it will ensure the right information reaches the proper authorities in the future.
Additionally, the PAC will keep a close eye on the MoD, demanding updates by March 2026 on resettlement activity under the ARR, and every six months after that.
Responding to the report, an MOD spokesperson said: "The data incident under the previous government in 2022 should never have happened, and while the committee acknowledges that practices have improved, we are continuing to make changes and improvements in data handling across the department, such as introducing a dedicated, secure casework system for Afghan resettlement.
"This government lifted the superinjunction in July so that the public and Parliament could rightly scrutinize this.
"The overall financial cost has never been concealed. We continue to estimate that the overall cost of the ARR scheme will be £850 million." ®
Get our [15]Tech Resources
[1] https://publications.parliament.uk/pa/cm5901/cmselect/cmpubacc/1391/report.html
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRdgKl3L8mit-q54wJh_agAAARQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRdgKl3L8mit-q54wJh_agAAARQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRdgKl3L8mit-q54wJh_agAAARQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRdgKl3L8mit-q54wJh_agAAARQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2021/09/21/mod_email_fail_afghan_interpreters_data/
[7] https://www.theregister.com/2025/08/29/uk_government_breach_review/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRdgKl3L8mit-q54wJh_agAAARQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/10/28/impact_afghan_data_breach/
[10] https://www.theregister.com/2025/08/29/uk_government_breach_review/
[11] https://www.theregister.com/2025/10/28/impact_afghan_data_breach/
[12] https://www.theregister.com/2025/10/22/ico_afghan_leak_probe/
[13] https://www.theregister.com/2025/08/29/uk_government_breach_review/
[14] https://www.theregister.com/2023/12/13/mod_bcc_email_fine/
[15] https://whitepapers.theregister.com/
In a [1]damning report published this morning, the PAC concluded that it was aware of how risky its data-handling procedures related to the Afghan Relocations and Assistance Policy (ARAP) were at the time.
The committee still does not have confidence that the department could prevent a similar breach in the future.
[2]
Sir Geoffrey Clifton-Brown, chair of the PAC, said that in continuing to run "inadequate systems to handle sensitive personal information," the MoD "knew what it was doing," despite the significantly worsened security environment in Afghanistan at the time of the breach.
[3]
[4]
Central to the report, and the disaster in general, was the MoD's "inappropriate" casework system.
At the time, it was relying on Excel spreadsheets stored in SharePoint to handle the trove of sensitive personal data of Afghan citizens who assisted British troops during the conflict.
[5]
The report noted that this contributed to the incident, which leaked thousands of identities linked to Afghans who were due to be resettled for their own protection, and demanded the MoD confirm a new system is in place.
In total, there were 49 separate data breaches that leaked these identities, the report noted.
The first came in 2021, when 245 Afghan interpreters who assisted British forces had their details exposed in a [6]CC-not-BCC email blunder , but the most significant came in [7]February 2022 , when around 19,000 Afghans who applied for the ARAP resettlement scheme were affected.
[8]
This incident also leaked the identities of British spies and other officials, although on a much smaller scale, at a time when the Taliban was actively hunting those who had assisted British troops in Afghanistan.
Research submitted to Parliament last month, informed by surveys completed by affected individuals, revealed the devastating [9]human toll of those at risk of Taliban retaliation .
"Indeed, data breaches occurred in 2021 which were sufficiently serious to have to be reported to the Information Commissioner's Office, giving a warning which MoD should have taken steps to heed," said Sir Clifton-Brown.
"These risks crystallized into dozens of data breaches over years, and ultimately resulted in the 2022 breach, presenting a grave risk to thousands of lives and a cost to the taxpayer running into hundreds of millions of pounds, at least.
"I take no pleasure as chair of this committee in stating now that we lack confidence in the MoD's current ability to prevent such an incident happening again."
The PAC's report further criticized the MoD for not appropriately informing government offices of the breaches, preventing the proper scrutiny that should have followed.
Crucially, the MoD only discovered that a breach had occurred in August 2023, after the list of affected Afghans was leaked online. The UK government secured a superinjunction preventing public reporting of the matter as a result.
The MoD failed to detail the incident in its annual accounts for 2023-2024, and did not brief [10]the National Audit Office (NAO) on the operational consequences or scale of the breach.
The report stated that the MoD briefed the NAO director as its accounts were being audited, but this only mentioned a secret matter that could not be shared, and that it related to a data breach that could not be included in the accounts. The NAO director was also told that they could not pass on any of the information in that briefing to the wider department, preventing it from properly scrutinizing the case.
Sir Clifton-Brown commented: "The frankly chaotic decision to tell a single director within the NAO that there was a secret matter that could not be shared, without informing the leadership of the NAO itself, is emblematic of the quality of the MoD's decision-making.
"The MoD's outgoing Permanent Secretary told our inquiry that this period of secrecy in how taxpayers' money was being spent had been 'deeply uncomfortable' for him.
"That is just as it should be, and we are glad to hear it – but as a consequence of elected representatives being prevented from holding government to account, it is not nearly sufficient, and he should never have been put in such a position by his minister."
[11]Beatings, killings, and lasting fear: The human toll of MoD's Afghan data breach
[12]UK data regulator defends decision not to investigate MoD Afghan data breach
[13]UK government dragged for incomplete security reforms after Afghan leak fallout
[14]Britain's Ministry of Defence fined £350K over Afghan interpreter BCC email blunder
The NAO's primary responsibility is to investigate UK government departments' use of taxpayer money.
ARAP, ARR, and other resettlement schemes
To clarify the different acronyms peppered throughout the PAC's report: ARAP was the resettlement scheme open to Afghans who assisted British forces at the time of the 2022 breach. It was these applicants who comprised the vast majority of those affected, although not all were successful.
The previous Conservative government established the Afghanistan Response Route (ARR) in April 2024, but it was then discontinued in July 2025.
The ARR was one of the many schemes set up by the UK government to relocate high-risk victims of the breach who were previously deemed ineligible for the ARAP or any of the other routes. It was also the only one established as a direct result of the breach.
Others, like ARAP and the Afghan Citizens Resettlement Scheme (ACRS), were in place before the breach became public knowledge.
An estimated 7,355 people were deemed eligible for relocation under the ARR, adding to the 16,108 eligible applicants under ARAP. In total, 27,278 people were considered eligible for relocation across the various routes set up by the UK, although only 3,383 had arrived in the UK by June 2025, according to Home Office figures published in August.
According to the PAC's report, the current costs associated with resettling around 7,000 Afghans under the Afghanistan Response Route are unconfirmed, but estimated to be around £850 million ($1.1 billion).
This excludes legal costs, potential future compensation for victims, and the costs associated with the other relocation schemes.
The MoD should have separated the costs associated with the different schemes, instead of combining them all, which would have given the NAO better information on which to scrutinize its spending.
It said it combined them to avoid breaching the conditions of the 2023 superinjunction, but the PAC's report stated that the MoD should have been able to separate these costs in anticipation of the gag order lifting in July 2025.
Of the MoD's £850 million estimate, the report stated: "The Department has so far been unable to provide sufficient evidence to give the NAO confidence in its estimate. The Department anticipates being able to give the NAO more detailed information on costs as part of its next report on the Afghanistan resettlement schemes overall."
The PAC issued a number of recommendations to the MoD in its report, which include the aforementioned confirmation that a new casework system is in place and that this system would prevent similar incidents from recurring, and that resettlement scheme costs are adequately broken down.
The Register understands that a new, secure casework system is indeed now operational, and the decision to implement one was made prior to the breach being detected.
In the near term, the department was asked to provide additional details to the PAC regarding its data protection policies, and come to an agreement on how it will ensure the right information reaches the proper authorities in the future.
Additionally, the PAC will keep a close eye on the MoD, demanding updates by March 2026 on resettlement activity under the ARR, and every six months after that.
Responding to the report, an MOD spokesperson said: "The data incident under the previous government in 2022 should never have happened, and while the committee acknowledges that practices have improved, we are continuing to make changes and improvements in data handling across the department, such as introducing a dedicated, secure casework system for Afghan resettlement.
"This government lifted the superinjunction in July so that the public and Parliament could rightly scrutinize this.
"The overall financial cost has never been concealed. We continue to estimate that the overall cost of the ARR scheme will be £850 million." ®
Get our [15]Tech Resources
[1] https://publications.parliament.uk/pa/cm5901/cmselect/cmpubacc/1391/report.html
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRdgKl3L8mit-q54wJh_agAAARQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRdgKl3L8mit-q54wJh_agAAARQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRdgKl3L8mit-q54wJh_agAAARQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRdgKl3L8mit-q54wJh_agAAARQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2021/09/21/mod_email_fail_afghan_interpreters_data/
[7] https://www.theregister.com/2025/08/29/uk_government_breach_review/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRdgKl3L8mit-q54wJh_agAAARQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/10/28/impact_afghan_data_breach/
[10] https://www.theregister.com/2025/08/29/uk_government_breach_review/
[11] https://www.theregister.com/2025/10/28/impact_afghan_data_breach/
[12] https://www.theregister.com/2025/10/22/ico_afghan_leak_probe/
[13] https://www.theregister.com/2025/08/29/uk_government_breach_review/
[14] https://www.theregister.com/2023/12/13/mod_bcc_email_fine/
[15] https://whitepapers.theregister.com/
Re: Cockup or conspiracy?
Primus Secundus Tertius
All special advisors should be handed over to the Taliban, or the Norks.
Cockup (data loss) plus conspiracy (superinjunction).
Tron
The PAC seems to be labouring under the quaint misapprehension that their role is to stop waste and failure. Waste and failure are inherent in governments and their militaries. The PAC's job is to calculate how much waste and failure took place, when it has become a historical footnote - when those responsible are no longer in office and nobody is in danger of losing their job or being prosecuted for it.
The numbers of people involved, as with immigration from Hong Kong, are politically sensitive. Hence the superinjunction. So they are not reported alongside the much smaller numbers of 'small boats' migrants, as it would distract people from the narrative: Britain is absolutely full to bursting, every last inhabitable room occupied, and would suffer economic collapse should a few thousand people be added to the 68,300,000 that are already squeezed in here, shoulder to shoulder, fighting over the last microwave meal on the supermarket shelf.
Oh, and to repeat the mantra. Your infrastructure/core stuff/intranet/private data/state secrets/best porn should be held on systems that never connect to the public internet. Not for SaaS, rubbish AI or cloud storage. Not for nuffink, guv. And then they are safe. Maybe the PAC could force everyone at the MOD to write that out, neatly, 500 times before they go home for their tea. The debased penny might drop then.
Hah...Politicians And Civil Servants And The Military Hard At Work.....
Anonymous Coward
Quote: '...the MoD "knew what it was doing"....'
Really??
1840: Brits thrown out of Afghanistan
1880: Brits thrown out of Afghanistan
1987: Russians thrown out of Afghanistan
...then on 30 August 2021, Brits and Americans thrown out of Afghanistan.
Quote (George Santayana): "Those who cannot remember the past are condemned to repeat it."
Cockup or conspiracy?
Given the political and financial cost of welcoming 10,000 Afghan refugees, while also trying to deport anyone without a knighthood to Rwanda.
Might some eager little Special Advisor have specially advised that leaking their names and letting the Taliban 'solve the problem' might be politically expedient?