A serious data breach at the UK’s Ministry of Defence has been revealed, putting at risk the personal data and lives of thousands of Afghan citizens seeking relocation to the UK for protection from Taliban reprisals. The breach occurred in early 2022 when a dataset containing details of over 18,000 applicants under the Afghan Relocations and Assistance Policy and the Afghanistan Locally Employed Staff Ex-Gratia Scheme was released in error. Part of this dataset was later found to have been published on Facebook, leading to a superinjunction being granted to prevent media outlets from reporting on the incident.
The lifting of the superinjunction followed a review report by former civil servant Paul Rimmer, which concluded that the dataset falling into the hands of the Taliban would not significantly change the exposure of individuals already in the public domain. The incident also led to the establishment of a secret Afghan resettlement route, the Afghanistan Response Route, to fast-track the relocation of applicants. The government confirmed that offers made to remaining principals and their families in Afghanistan would be honored.
Defense Secretary Ben Healey admitted to the serious departmental error and breach of data protection protocols, leading to swift action to remove the exposed data from Facebook. An internal investigation was conducted, and reports were made to the Information Commissioner’s Office and the Metropolitan Police. Healey issued a sincere apology on behalf of the British government to those affected by the breach.
The government has set up a dedicated microsite for affected individuals to check if they were exposed and access guidance on personal cyber security. Cyber security advisor Jake Moore highlighted human error as a major risk in data breaches, emphasizing the need for stronger technical safeguards and user training. The history of exposures related to the ARAP program was also discussed, including previous breaches and fines imposed by the Information Commissioner’s Office.
Overall, the breach at the Ministry of Defence underscores the importance of robust data protection measures and the potential consequences of human error in compromising sensitive information.
