The UK Ministry of Defence (MoD) experienced **49 separate data breaches** over four years within its **Afghan Relocations and Assistance Policy (ARAP)** unit, which handles relocation applications for Afghans at risk due to their work with British forces. The most severe incident involved a **spreadsheet leak in 2022**, where a soldier unknowingly shared hidden data containing **personal details of nearly 19,000 Afghans**, including names, contact information, and family associations. This breach, suppressed by a gagging order until 2024, risked exposing vulnerable individuals to Taliban reprisals. Other breaches included **email misconfigurations** (e.g., 265 Afghans’ email addresses exposed in 2021) and repeated failures in data handling protocols despite remedial measures like the 'two pairs of eyes' review rule. The breaches prompted fines (e.g., £350,000 for the 2021 email incident), legal scrutiny, and criticism over **lax security culture**, with lawyers and data protection experts questioning the MoD’s ability to safeguard highly sensitive information. The ICO acknowledged ongoing engagement but took no further action on the largest breach, citing resource constraints. Political blame shifted between Conservative and Labour administrations, with the latter claiming improved measures post-2024.
Source: https://www.bbc.com/news/articles/cp8950pyy1vo
TPRM report: https://www.rankiteo.com/company/uk-ministry-of-defence
"id": "uk-0893808100325",
"linkid": "uk-ministry-of-defence",
"type": "Breach",
"date": "6/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '~19,000 Afghans (2022 Breach) + '
'265 (2021 Email Breaches) + '
'Undisclosed Others',
'industry': 'Defense/Military',
'location': 'United Kingdom',
'name': 'Ministry of Defence (MoD), UK',
'size': 'Large (10,000+ Employees)',
'type': 'Government Agency'},
{'customers_affected': '49 Breaches Affecting Thousands '
'(Exact Numbers Undisclosed for '
'Most Incidents)',
'location': 'Afghanistan/UK',
'name': 'Afghan Relocations and Assistance Policy '
'(ARAP) Applicants',
'type': 'Individuals/Refugees'}],
'attack_vector': ['Human Error (Email Misconfiguration)',
'Improper Data Handling (Spreadsheet Hidden Data)',
'Insufficient Access Controls',
'Lack of Oversight/Review Processes'],
'customer_advisories': ['Limited Direct Communication (Due to Security Risks '
'for Afghans)',
'Public Apologies via Political Channels'],
'data_breach': {'data_exfiltration': 'Yes (Unintentional, via '
'Email/Spreadsheet Sharing)',
'file_types_exposed': ['Spreadsheets (Excel)',
'Emails (Outlook/Internal Systems)'],
'number_of_records_exposed': ['265 (2021 Email Breaches)',
'~19,000 (2022 Spreadsheet '
'Leak)',
'Undisclosed (45 Other '
'Breaches)'],
'personally_identifiable_information': ['Names',
'Contact Details '
'(Email, Phone)',
'Family Member '
'Information',
'Associate Networks'],
'sensitivity_of_data': 'Extremely High (Life-Threatening Risk '
'to Afghans)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Email Addresses',
'Family/Associate Details',
'Application Status for '
'Relocation']},
'date_detected': '2021-04-01',
'date_publicly_disclosed': ['2021-09-01',
'2022-02-01',
'2023-08-01',
'2025-07-01',
'2025-08-21'],
'description': 'The Ministry of Defence (MoD) admitted to 49 separate data '
'breaches over four years within the unit handling relocation '
'applications for Afghans seeking safety in the UK. The '
'breaches include the 2022 leak of a spreadsheet containing '
'details of nearly 19,000 individuals fleeing the Taliban, '
'which was concealed under a gagging order until July 2025. '
'Other incidents involved inadvertent disclosure of email '
'addresses and personal details of applicants to third '
'parties. Concerns have been raised about systemic lax '
'security, inadequate remedial measures, and insufficient '
"oversight by the Information Commissioner's Office (ICO). The "
'Afghan Relocations and Assistance Policy (ARAP) scheme, now '
'closed, was marred by repeated failures, risking the lives of '
'Afghans who collaborated with British forces.',
'impact': {'brand_reputation_impact': ['Erosion of Trust in MoD Data Handling',
'Criticism from Lawyers, Data '
'Protection Experts, and Opposition '
'Parties',
'Media Scrutiny (BBC, High Court '
'Rulings)'],
'customer_complaints': ['Hundreds of Affected Afghans Represented '
'by Barings Law',
'Public Outcry and Calls for Transparency'],
'data_compromised': ['Email Addresses (265 in 2021)',
'Personal Details (Names, Contact '
'Information, Family/Associate Data for '
'~19,000 in 2022)',
'Spreadsheet Metadata (Hidden Data)'],
'financial_loss': '£350,000 (Fine for 2021 Email Breaches)',
'identity_theft_risk': 'High (Exposed PII Could Be Exploited by '
'Threat Actors)',
'legal_liabilities': ['£350,000 Fine (2021 Breaches)',
'Potential Further Fines or Legal Actions '
'Pending ICO Review',
'High Court Gagging Order (Lifted July '
'2025)'],
'operational_impact': ['Closure of ARAP Scheme (July 2025)',
'Legal Scrutiny and High Court '
'Interventions',
'Reputational Damage to MoD and UK '
'Government',
'Increased Workload for Remediation and '
'Compliance'],
'systems_affected': ['ARAP (Afghan Relocations and Assistance '
'Policy) Database',
'MoD Email Systems',
'Internal Spreadsheet Storage/Sharing Tools']},
'investigation_status': 'Ongoing (ICO Engagement, Potential Further Reviews)',
'lessons_learned': ['Systemic Failures in Data Handling Require Cultural '
'Change, Not Just Procedural Fixes',
'Gagging Orders Undermine Public Trust and Accountability',
'High-Risk Data (e.g., Refugee/Asylum Information) '
'Demands Specialized Protections',
'ICO Oversight May Be Insufficient for Government '
'Agencies Handling Sensitive Data'],
'motivation': 'Unintentional (Negligence/Lack of Compliance)',
'post_incident_analysis': {'corrective_actions': ['New Software (Labour '
'Government, Post-July '
'2024)',
'Stricter Email Review '
'Processes',
'Public Disclosure of '
'Largest Breach (July 2025)',
'Ongoing ICO Collaboration'],
'root_causes': ['Cultural Neglect of Data '
'Protection (Per Lawyers/Experts)',
'Inadequate Technical Safeguards '
'(e.g., No DLP for Spreadsheets)',
'Lack of Accountability Up the '
'Chain of Command (Per Ben '
'Wallace)',
'Over-Reliance on Manual Reviews '
"(Pre-'Two Pairs of Eyes' Rule)"]},
'recommendations': ['Independent Audit of MoD Data Protection Practices',
'Automated DLP Tools for Sensitive Data',
'Transparency in Breach Disclosures (Avoiding Legal '
'Suppression)',
'Enhanced Training with Real-World Scenarios (e.g., '
'Hidden Spreadsheet Data)',
'Third-Party Penetration Testing for Government Systems',
'Clearer Escalation Paths for Whistleblowers/Staff '
'Reporting Risks'],
'references': [{'date_accessed': '2025-08-21',
'source': 'BBC Politics Investigations',
'url': 'https://www.bbc.co.uk/news/politics'},
{'source': "UK Information Commissioner's Office (ICO)",
'url': 'https://ico.org.uk'},
{'date_accessed': '2025-07-01',
'source': 'High Court Ruling (Gagging Order Lift, July 2025)'},
{'source': 'Barings Law (Representing Affected Afghans)',
'url': 'https://www.baringslaw.com'},
{'source': 'Mishcon de Reya (Jon Baines, Data Protection '
'Specialist)',
'url': 'https://www.mishcon.com'}],
'regulatory_compliance': {'fines_imposed': '£350,000 (2021 Breaches)',
'legal_actions': ['High Court Gagging Order '
'(2023–2025)',
'Ongoing ICO Engagement',
'Potential Further Investigations '
'(Per Jon Baines, Mishcon de '
'Reya)'],
'regulations_violated': ['UK GDPR',
'Data Protection Act 2018',
'ICO Reporting '
'Requirements'],
'regulatory_notifications': ['7 of 49 Breaches '
'Reported to ICO',
'ICO Declined Further '
'Action on 2022 '
'Spreadsheet Breach']},
'response': {'communication_strategy': ['Delayed Disclosure (Gagging Orders, '
'Legal Restrictions)',
'Selective Transparency (BBC FOIA '
'Request, 2025)',
'Apologies via Political Statements'],
'containment_measures': ['High Court Gagging Order (2023–2025, '
'Lifted July 2025)',
'Internal Reviews of Breaches',
'Limited Public Disclosure (Only 4 of '
'49 Breaches Initially Public)'],
'enhanced_monitoring': 'Yes (Post-2021, Details Undisclosed)',
'incident_response_plan_activated': 'Yes (Post-2021 Breaches)',
'recovery_measures': ['Closure of ARAP Scheme (July 2025)',
'Public Apology by Defence Secretary',
'Parliamentary Scrutiny (Post-July 2024 '
'Disclosures)'],
'remediation_measures': ['New Data Handling Procedures (November '
'2021)',
'Mandatory Training for Staff',
"'Two Pairs of Eyes' Rule for External "
'Emails (Post-November 2021)',
'New Software (Introduced by Labour '
'Government, Post-July 2024)'],
'third_party_assistance': ["Information Commissioner's Office "
'(ICO) Engagement',
'Legal Counsel (High Court Gagging '
'Order, 2023–2025)',
'Data Protection Specialists (e.g., '
'Mishcon de Reya, Barings Law)']},
'stakeholder_advisories': ['Afghans Affected by ARAP Breaches (Via Legal '
'Representatives)',
'UK Parliament (Post-July 2024 Disclosures)',
'Media Outlets (BBC, Others)'],
'title': 'Dozens of UK Afghan Data Breaches Uncovered at Ministry of Defence '
'(MoD)',
'type': ['Data Breach', 'Unauthorized Disclosure', 'Privacy Violation'],
'vulnerability_exploited': ["Lack of 'Two Pairs of Eyes' Review (Pre-November "
'2021)',
'Inadequate Data Redaction in Spreadsheets',
'Poor Training on Data Protection Protocols',
'Absence of Automated Data Loss Prevention (DLP) '
'Tools']}