The MoD’s Data Breach

Caine Glancy

A major data breach by the Ministry of Defence (MoD) has come to light, putting thousands of lives at risk and costing the UK government hundreds of millions of pounds. The details were kept under wraps by a super injunction until now.

The MoD’s Data Breach: What You Need to Know

Here’s what happened, why it matters, and what it tells us about data protection in practice.

What Happened?

In 2022, a serious mistake at the MoD led to the personal details of almost 20,000 Afghan nationals being exposed. These individuals had either worked with or supported British forces in Afghanistan and were applying to a UK relocation scheme called ARAP (Afghan Relocation and Assistance Policy).

The breach involved an email that was mishandled, containing a full list of names and other identifying details. It is still unclear if the Taliban ever accessed the list, but the risk to those individuals and their families was significant. Some named on the list have since been killed, although it’s not confirmed whether this was directly linked to the breach.

Despite the gravity of the situation, the British government placed a super injunction on the incident, blocking the press from reporting on it. It has only now been lifted, over three years after the breach occurred.

Why Is This So Serious?

This wasn’t just a case of sending an email to the wrong person or forgetting to BCC a list. It involved identifiable information about people whose lives were already in danger. The exposure has resulted in the relocation of up to 7,000 Afghan nationals to the UK and is expected to cost taxpayers £850 million at a minimum, possibly rising to as much as £7 billion.

Litigation is now underway. One law firm representing over 1,000 victims has criticised the MoD for hiding the breach from the public and delaying accountability. Claimants are now seeking compensation for the harm and distress caused.

What Has the Government Said?

The current Defence Secretary, John Healey, has apologised and said the lack of transparency around the breach was deeply concerning. An internal review played down the ongoing risks, but data protection professionals have rightly questioned that conclusion.

The Information Commissioner’s Office (ICO) previously fined the MoD £350,000 for a similar breach in 2021, which also exposed the identities of Afghan nationals via email.

Lessons for DPOs and Data Leaders

This case is a stark reminder of the very real consequences that poor data handling can have, especially when it involves vulnerable individuals. For DPOs, it raises key questions:

Is your organisation properly training staff on secure communication?
Are you managing access and visibility of sensitive data?
Do you have robust breach response plans in place?
How transparent would you be if a breach happened under your watch?

This incident also reminds us that even the highest levels of government can get it wrong, which is why independent oversight and timely reporting remain critical principles in data protection.

Stay Up to Date with the Latest in Data Protection

At Data Protection People, we’re committed to helping professionals across the UK stay informed, connected, and confident in their roles.

If you want updates like this straight to your inbox or discussed live by industry experts:

Join our Data Protection Made Easy Podcast
Subscribe to our free newsletter
Become part of a growing community of 1,500+ DPOs and data leaders across the UK

We break down complex stories like this every week, helping you cut through the noise and stay ahead of the curve.

Cyber Security Services

PCI DSS

ISO 27001

Cyber Security Consultancy

Cyber Security Support

Pentesting

External Attack Surface Management

Data Protection Services

SAR Support

Data Protection Support

Outsourced DPO

Data Protection Consultancy

Information Management Software

GDPR Training

GDPR Audits

GDPR Representative

GDPR Documentation

GDPR Toolkit

Information Rights Request

24/7 Support whenever you need it