Data Breach Exposed Afghans: MoD Staff Ignored Warning

Wed Oct 22 2025 19:11:25 GMT+0300 (Eastern European Summer Time)

A recent leak revealed the details of nearly 19,000 Afghan individuals seeking refuge in the UK, despite prior warnings to Ministry of Defence staff about sharing sensitive information.

Documents from the UK Information Commissioner’s Office (ICO) indicate that Ministry of Defence (MoD) staff were cautioned against sharing sensitive data before a major breach occurred, which exposed personal details of nearly 19,000 Afghans. The leaked incident has raised serious concerns regarding data management and governmental accountability, with implications for those at risk from Taliban reprisals. The government is currently evaluating security enhancements to prevent future leaks.

The Ministry of Defence (MoD) staff were warned not to share information containing hidden tabs before a significant leak of Afghan data, as documents from the UK's Information Commissioner's Office (ICO) show. In a troubling incident last month, it was discovered that the personal details of nearly 19,000 Afghans seeking refuge in the UK were exposed when an official mistakenly emailed a spreadsheet with hidden data.

Concern has been raised within the ICO about the lack of sanctions against the MoD despite the breach, underscoring larger issues of data protection and misuse of information.
The MoD claimed they had taken steps to enhance data security, yet the ICO insisted that the government needs to learn more significant lessons from this event.

According to an ICO memo, existing guidelines indicated that the MoD was aware of the risks involved in sharing data, emphasizing the necessity to eliminate hidden data from shared datasets.

This security incident is economically significant, with the government estimating potential costs reaching up to £850 million—arising from the urgent resettlement program instituted during crises in Afghanistan as the Taliban regained control. The level of response to the data breach has been critically scrutinized as the ICO previously issued a £350,000 fine for a smaller breach involving Afghan data.

Documents reveal that secret meetings between the ICO and the MoD took place following the data breach, during which officials remarked on the incident as likely being 'the most expensive email ever sent.'

Internal discussions indicated potential reputational damage to the ICO for not pressing action against the MoD, highlighting the critical need for transparency and accountability in government institutions. Despite privacy laws requiring public bodies to report breaches, ICO discovered that there had been 49 separate breaches over the last four years handling Afghan relocation applications.

The ICO's spokesperson reiterated the urgency of addressing breaches comprehensively, noting insufficient improvements have been made so far. The MoD publicly asserted the intent to rectify their data management and security practices following extensive collaborations with the ICO.