In July 2025, the public finally learned that the UK Ministry of Defence had been responsible for a major data breach affecting thousands of Afghans who had helped British forces. The breach happened back in 2021 and 2022, but it was kept from public discussion by a legal super-injunction- a rare kind of court order that prevents anyone from even mentioning that a court case exists. Now that the injunction has been lifted, we can look at what really happened, how it was handled, and what it tells us about government risk management and data responsibility.
What happened?
In late 2021 and again in early 2022, a Ministry of Defence official sent an email intended for around 150 Afghans who had worked with the British military and were being offered evacuation and resettlement in the UK. But the email included a hidden spreadsheet that contained personal information for over 18,000 people- names, photos, email addresses, phone numbers, and in some cases, locations.
These were Afghans who had worked with the UK during its military mission in Afghanistan, often as interpreters, drivers, or local support. Many were in hiding after the Taliban takeover. Exposing their identities meant putting them- and their families- at risk of retribution.
To make matters worse, the email used a “cc” field instead of “bcc,” meaning all recipients could see one another’s addresses.
How was it discovered?
The breach didn’t become public right away. For a time, the spreadsheet circulated quietly. But in August 2023, someone shared it on Facebook. This brought the issue to light, and a group of lawyers representing some of the affected Afghans took it to court. A super-injunction was issued to prevent media coverage, supposedly to protect national security and the people named in the file.
In the meantime, the UK government began a secret program called the Afghan Relocations and Assistance Policy (ARAP) to help the individuals exposed by the breach escape Afghanistan. According to Reuters, more than 16,000 Afghans were relocated, and the operation cost hundreds of millions of pounds- possibly as much as £7 billion over time.
Why are people angry?
People are angry because no one has been held accountable. In July 2025, the UK’s data protection regulator, the Information Commissioner’s Office (ICO), announced that it would not take enforcement action against the Ministry of Defence. It said the government had already taken significant steps to fix the damage, and that further action by the ICO wouldn’t add much.
Critics- including MPs, legal groups, and Afghan veterans- say this sends a dangerous message: that even one of the worst government data breaches in UK history can happen without regulatory consequences. They also question whether the super-injunction was used to protect lives or to shield the government from public scrutiny.
Why is this breach so serious?
This wasn’t just a spreadsheet with emails. These were real people, many of whom were actively being hunted by the Taliban. Their only protection was secrecy. Once their names and contact information were exposed, they had to flee or go into hiding.
Several sources, including The Times, report that at least ten of the individuals named in the breach were killed. Others are still missing. Some managed to escape, but at great cost- leaving behind family members, homes, and jobs. UK taxpayer funds were used to relocate thousands of people, an effort that could have been avoided with proper data handling.
