Ministry of Defence Afghan National Data Breach: What Happened?

More often than not, Barings Law fights for justice for those who have suffered financially at the hands of others.

We represent clients who are victims of mis-selling, those who were duped by online scammers, firms whose business interruption insurance assistance has been refused and people whose personal data has been used by AI developers without permission.

Those responsible should be held accountable, and Barings Law’s legal teams proudly do just that.

We win financial recompense for our clients who have been left out of pocket but, for the Afghan victims of a data breach at central government level, the consequences could be far more serious.

Those who had worked with the British armed forces in Afghanistan required anonymity, for fear of reprisals from the Taliban. But they have been put at risk by failings at the Ministry of Defence (MoD).

The MoD was in possession of names and personal details of people who assisted the British forces during their time in Afghanistan and would be at risk for doing so. The data, in the form of a spreadsheet, contained names, email addresses, family members’ names, MoD-assigned references and their roles within the Afghan army, among other personal information. It’s believed to have been emailed in error to numerous people and subsequently posted on social media.

Having assisted the UK Government, the lives of those within the list would be at risk, not just from the Taliban, but also their sympathisers beyond Afghanistan.

So, a significant threat exists for them, and their family members, who were working under the Afghan Relocation and Assistance Policy (ARAP) scheme. Many of them are currently in hiding for fear of being targeted for reprisal attacks. The threat is ongoing and represents the gravest of consequences, should they be discovered.

The breach, which occurred in 2023, was investigated by a national newspaper, who contacted the MoD for comment. The department’s immediate reaction was to take out a super-injunction, banning any reporting of the security blunder. Now, after nearly three years, the highly-dangerous data breach is in the public domain, with the super-injunction having been lifted.

The MoD has previously been fined by the Information Commissioner’s Office (ICO) for failures in data security. In the same year, the email addresses of 265 people fleeing Afghanistan were exposed. In another potentially lethal breach, an ARAP-issued group email failed to conceal the email addresses of 245 Afghan nationals eligible for relocation to the UK.

As well as the addresses that were mistakenly copied into the recipient list, their location was provided by one of the recipients who ‘replied all’ to the email. An investigation later led to a ruling that ARAP had not taken the correct steps to prevent the vital information’s disclosure.

As well as the ICO imposing a £350,000 fine on the MoD, ministers agreed to pay compensation, which is expected to total £1.6million.

“This deeply regrettable data breach let down those to whom our country owes so much,” said ICO commissioner John Edwards. “This was a particularly egregious breach of the obligation of security owed to these people, thus warranting the financial penalty my office imposes.”

Barings Law has led the fight to have the reporting ban lifted, and for those affected, as well as their families, to be informed as a matter of urgency. Our efforts have finally proved fruitful, as the ban has been lifted and we have already taken instruction by nearly a thousand people affected by the breach.

To see if you are eligible to make a claim, click the button below.