.png)
2 hours ago
1
The UK Parliament's Public Accounts Committee (PAC) says the Ministry of Defence (MoD) has failed to appropriately improve its data protection mechanisms, three years after the infamous 2022 Afghan data breach.
In a damning report published this morning, the PAC concluded that it was aware of how risky its data-handling procedures related to the Afghan Relocations and Assistance Policy (ARAP) were at the time.
The committee still does not have confidence that the department could prevent a similar breach in the future.
Sir Geoffrey Clifton-Brown, chair of the PAC, said that in continuing to run "inadequate systems to handle sensitive personal information," the MoD "knew what it was doing," despite the significantly worsened security environment in Afghanistan at the time of the breach.
Central to the report, and the disaster in general, was the MoD's "inappropriate" casework system.
At the time, it was relying on Excel spreadsheets stored in SharePoint to handle the trove of sensitive personal data of Afghan citizens who assisted British troops during the conflict.
The report noted that this contributed to the incident, which leaked thousands of identities linked to Afghans who were due to be resettled for their own protection, and demanded the MoD confirm a new system is in place.
In total, there were 49 separate data breaches that leaked these identities, the report noted.
The first came in 2021, when 245 Afghan interpreters who assisted British forces had their details exposed in a CC-not-BCC email blunder, but the most significant came in February 2022, when around 19,000 Afghans who applied for the ARAP resettlement scheme were affected.
This incident also leaked the identities of British spies and other officials, although on a much smaller scale, at a time when the Taliban was actively hunting those who had assisted British troops in Afghanistan.
Research submitted to Parliament last month, informed by surveys completed by affected individuals, revealed the devastating human toll of those at risk of Taliban retaliation.
"Indeed, data breaches occurred in 2021 which were sufficiently serious to have to be reported to the Information Commissioner's Office, giving a warning which MoD should have taken steps to heed," said Sir Clifton-Brown.
"These risks crystallized into dozens of data breaches over years, and ultimately resulted in the 2022 breach, presenting a grave risk to thousands of lives and a cost to the taxpayer running into hundreds of millions of pounds, at least.
"I take no pleasure as chair of this committee in stating now that we lack confidence in the MoD's current ability to prevent such an incident happening again."
The PAC's report further criticized the MoD for not appropriately informing government offices of the breaches, preventing the proper scrutiny that should have followed.
Crucially, the MoD only discovered that a breach had occurred in August 2023, after the list of affected Afghans was leaked online. The UK government secured a superinjunction preventing public reporting of the matter as a result.
The MoD failed to detail the incident in its annual accounts for 2023-2024, and did not brief the National Audit Office (NAO) on the operational consequences or scale of the breach.
The report stated that the MoD briefed the NAO director as its accounts were being audited, but this only mentioned a secret matter that could not be shared, and that it related to a data breach that could not be included in the accounts. The NAO director was also told that they could not pass on any of the information in that briefing to the wider department, preventing it from properly scrutinizing the case.
Sir Clifton-Brown commented: "The frankly chaotic decision to tell a single director within the NAO that there was a secret matter that could not be shared, without informing the leadership of the NAO itself, is emblematic of the quality of the MoD's decision-making.
"The MoD's outgoing Permanent Secretary told our inquiry that this period of secrecy in how taxpayers' money was being spent had been 'deeply uncomfortable' for him.
"That is just as it should be, and we are glad to hear it – but as a consequence of elected representatives being prevented from holding government to account, it is not nearly sufficient, and he should never have been put in such a position by his minister."
- Beatings, killings, and lasting fear: The human toll of MoD's Afghan data breach
- UK data regulator defends decision not to investigate MoD Afghan data breach
- UK government dragged for incomplete security reforms after Afghan leak fallout
- Britain's Ministry of Defence fined £350K over Afghan interpreter BCC email blunder
The NAO's primary responsibility is to investigate UK government departments' use of taxpayer money.
According to the PAC's report, the current costs associated with resettling around 7,000 Afghans under the Afghanistan Response Route are unconfirmed, but estimated to be around £850 million ($1.1 billion).
This excludes legal costs, potential future compensation for victims, and the costs associated with the other relocation schemes.
The MoD should have separated the costs associated with the different schemes, instead of combining them all, which would have given the NAO better information on which to scrutinize its spending.
It said it combined them to avoid breaching the conditions of the 2023 superinjunction, but the PAC's report stated that the MoD should have been able to separate these costs in anticipation of the gag order lifting in July 2025.
Of the MoD's £850 million estimate, the report stated: "The Department has so far been unable to provide sufficient evidence to give the NAO confidence in its estimate. The Department anticipates being able to give the NAO more detailed information on costs as part of its next report on the Afghanistan resettlement schemes overall."
The PAC issued a number of recommendations to the MoD in its report, which include the aforementioned confirmation that a new casework system is in place and that this system would prevent similar incidents from recurring, and that resettlement scheme costs are adequately broken down.
The Register understands that a new, secure casework system is indeed now operational, and the decision to implement one was made prior to the breach being detected.
In the near term, the department was asked to provide additional details to the PAC regarding its data protection policies, and come to an agreement on how it will ensure the right information reaches the proper authorities in the future.
Additionally, the PAC will keep a close eye on the MoD, demanding updates by March 2026 on resettlement activity under the ARR, and every six months after that.
Responding to the report, an MOD spokesperson said: "The data incident under the previous government in 2022 should never have happened, and while the committee acknowledges that practices have improved, we are continuing to make changes and improvements in data handling across the department, such as introducing a dedicated, secure casework system for Afghan resettlement.
"This government lifted the superinjunction in July so that the public and Parliament could rightly scrutinize this.
"The overall financial cost has never been concealed. We continue to estimate that the overall cost of the ARR scheme will be £850 million." ®
