The Ministry of Defence (MoD) has acknowledged that there have been significantly more data breaches associated with its Afghan Relocations and Assistance Policy (Arap) programme than previously reported. According to newly released Freedom of Information (FoI) figures, the actual number of breaches is 49, rather than the previously reported four.
The MoD has not provided specific details on the nature of these breaches. Two of the known breaches involved email security lapses, impacting around 300 individuals. The more severe breach led to a £350,000 fine imposed on the MoD by the Information Commissioner’s Office (ICO), a departure from the usual practice of not fining government entities for such incidents.
In July 2025, a major data protection breach occurred when almost 19,000 asylum seekers’ data was mistakenly released by a staff member. This incident was only disclosed after a superinjunction preventing media coverage was lifted. Additionally, a cyber attack on a third-party services provider at Stansted Airport compromised the data of 3,700 individuals, including some linked to Arap.
Adnan Malik from Barings Law, representing over 1,000 affected Afghan claimants, expressed concerns about the escalating series of data breaches at the MoD. He emphasized the importance of transparency from the MoD and called for victims to be informed directly rather than through legal or media channels.
Cyber security advisor Jake Moore highlighted the common occurrence of human error in data breaches and stressed the need for enhanced protection, especially for sensitive information like that involved in Arap. He underscored the importance of encryption and stringent security measures to prevent further incidents.
The MoD reiterated its commitment to data security and compliance with the law, including reporting incidents to the ICO when necessary. In August, the MoD announced the deployment of an AI platform by Australian cyber security firm Castlepoint Systems to bolster its data protection practices.
MoD beefing up data protection with AI-backed tech
In August, the MoD partnered with Castlepoint Systems to implement an AI platform for enhanced data protection. The AI model manages structured and unstructured data, automating records management, privacy, security, and regulatory compliance.
Castlepoint’s technology enables efficient analysis of vast datasets, ensuring accurate identification of content and application of appropriate security measures.
