The UK Ministry of Defence (MoD) suffered a severe **data breach** in 2022 when an official accidentally leaked a spreadsheet containing the personal details of nearly **19,000 Afghan applicants** under the **Afghan Relocations and Assistance Policy (ARAP)** scheme. The leaked data—including names, contact details, and relocation statuses—was posted anonymously on a **Facebook group**, exposing vulnerable individuals to risks from the Taliban. The breach, discovered in **August 2023**, led to a **super injunction** blocking media coverage until July 2024.The **Public Accounts Committee (PAC)** criticized the MoD for **repeated failures** in data handling, noting prior breaches (including a 2021 incident reported to the ICO) and a **culture of negligence** in using insecure systems like **Excel spreadsheets** for sensitive data. The leak forced the creation of the **Afghanistan Response Route (ARR)**, expanding relocation eligibility to **27,278 individuals**, with estimated costs exceeding **£850 million** (excluding legal/compensation claims). MPs expressed **no confidence** in the MoD’s ability to prevent future breaches, despite claims of improved practices, including a new **secure casework system**.The breach **endangered thousands of lives**, triggered **mass relocations**, and imposed **substantial financial and reputational damage** on the UK government, with long-term geopolitical and humanitarian consequences.
UK Ministry of Defence cybersecurity rating report: https://www.rankiteo.com/company/uk-ministry-of-defence
"id": "UK-4762947111425",
"linkid": "uk-ministry-of-defence",
"type": "Breach",
"date": "6/2021",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'customers_affected': '~19,000 ARAP applicants '
'(initial breach); ~27,278 total '
'candidates for relocation '
'(including post-breach '
'additions)',
'industry': 'Defence and National Security',
'location': 'United Kingdom',
'name': 'UK Ministry of Defence (MoD)',
'type': 'Government Department'},
{'customers_affected': '~19,000 (directly exposed); '
'~7,355 additional individuals '
'made eligible for resettlement '
'post-breach',
'location': ['Afghanistan',
'United Kingdom (relocated individuals)'],
'name': 'Afghan Relocations and Assistance Policy '
'(ARAP) Applicants',
'type': 'Individuals'}],
'attack_vector': ['Human Error',
'Insecure Data Storage (Excel Spreadsheets)',
'Improper Access Controls',
'Social Media Leak (Facebook)'],
'customer_advisories': ['Apology from Defence Secretary',
'Resettlement support via ARR',
'Legal and compensation pathways for affected '
'individuals'],
'data_breach': {'data_encryption': 'No (data stored in unsecured Excel '
'spreadsheets)',
'data_exfiltration': ['Excerpts from spreadsheets posted on '
'Facebook',
'Anonymous leak'],
'file_types_exposed': ['Excel spreadsheets'],
'number_of_records_exposed': '~19,000',
'personally_identifiable_information': ['Names',
'Contact details',
'Application status',
'Other sensitive '
'personal data'],
'sensitivity_of_data': 'High (life-threatening risks to '
'exposed individuals)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Relocation application '
'details']},
'date_detected': '2023-08',
'date_publicly_disclosed': '2024-07',
'description': 'The UK Ministry of Defence (MoD) suffered a major data breach '
'in 2022 where personal details of nearly 19,000 Afghans '
'applying for the Afghan Relocations and Assistance Policy '
'(ARAP) scheme were leaked. The breach occurred due to the use '
'of insecure Excel spreadsheets to handle sensitive data, '
'which were later posted anonymously on a Facebook group. The '
'incident exposed applicants to significant risks, including '
'potential retaliation by the Taliban, and led to the creation '
'of the Afghanistan Response Route (ARR) for resettlement. The '
'MoD faced criticism for failing to address known '
'vulnerabilities and prevent repeated breaches over successive '
'years. The estimated cost of the ARR scheme is £850 million, '
'excluding legal actions or compensation claims.',
'impact': {'brand_reputation_impact': ['Loss of public trust in MoD data '
'handling',
'Criticism from MPs and Public '
'Accounts Committee (PAC)',
'Media scrutiny and negative coverage'],
'customer_complaints': ['Reports of affected individuals returning '
'to Afghanistan due to risks',
'Potential legal actions and compensation '
'claims'],
'data_compromised': ['Personal details of ~19,000 ARAP applicants',
'Names, contact information, and other '
'sensitive data'],
'financial_loss': '£850 million (estimated cost of ARR scheme, '
'excluding legal/compensation costs)',
'identity_theft_risk': ['High (exposed personal data of vulnerable '
'individuals)',
'Risk of Taliban retaliation against '
'exposed Afghans'],
'legal_liabilities': ['Potential compensation claims',
'Legal actions (costs not included in £850m '
'estimate)',
"Reporting to Information Commissioner's "
'Office (ICO)'],
'operational_impact': ['Creation of Afghanistan Response Route '
'(ARR) for resettlement',
'Super injunction imposed (Sept 2023)',
'Increased scrutiny and parliamentary '
'oversight'],
'systems_affected': ['Excel spreadsheets',
'MoD internal data handling systems']},
'investigation_status': 'Ongoing (PAC oversight, MoD internal improvements)',
'lessons_learned': ['Inadequate data handling processes and culture within '
'MoD',
'Failure to act on prior warnings and breaches (e.g., '
'2021 incidents reported to ICO)',
'Risks of using inappropriate systems (e.g., Excel) for '
'sensitive data',
'Need for robust casework systems and employee training',
'Importance of transparency and accountability in breach '
'disclosure'],
'post_incident_analysis': {'corrective_actions': ['Introduction of secure '
'casework system for Afghan '
'resettlement',
'Improvements in data '
'handling processes',
'Enhanced parliamentary and '
'public scrutiny',
'Lifting of super '
'injunction for '
'transparency'],
'root_causes': ['Use of insecure systems (Excel) '
'for sensitive data',
'Failure to heed prior warnings '
'(e.g., 2021 breaches)',
'Inadequate data handling culture '
'and processes',
'Lack of accountability and '
'proactive risk mitigation']},
'recommendations': ['Implement and enforce secure data handling systems '
'(e.g., dedicated casework platforms)',
'Conduct regular audits and risk assessments for '
'sensitive data',
'Enhance employee training on data protection and '
'cybersecurity',
'Establish clear protocols for breach response and '
'disclosure',
'Improve transparency with parliament and the public on '
'costs and impacts',
'Address cultural and procedural failures within MoD to '
'prevent recurrence'],
'references': [{'date_accessed': '2024-10',
'source': 'Sky News',
'url': 'https://news.sky.com'},
{'date_accessed': '2024-10',
'source': 'House of Commons Public Accounts Committee (PAC) '
'Report',
'url': 'https://committees.parliament.uk/committee/127/public-accounts-committee/'},
{'date_accessed': '2024-10',
'source': 'UK Ministry of Defence (MoD) Statements',
'url': 'https://www.gov.uk/government/organisations/ministry-of-defence'}],
'regulatory_compliance': {'legal_actions': ['Potential compensation claims',
'Ongoing legal risks'],
'regulations_violated': ['UK Data Protection Act '
'2018',
'GDPR (General Data '
'Protection Regulation)'],
'regulatory_notifications': ['Reported to '
'Information '
"Commissioner's Office "
'(ICO)']},
'response': {'communication_strategy': ['Public disclosure after lifting of '
'super injunction (July 2024)',
'Parliamentary scrutiny and PAC '
'report',
'Media statements'],
'containment_measures': ['Super injunction imposed (Sept 2023, '
'lifted July 2024)',
'Removal of leaked data from Facebook'],
'enhanced_monitoring': ['Ongoing improvements in data handling',
'PAC oversight and recommendations'],
'incident_response_plan_activated': True,
'recovery_measures': ['Establishment of Afghanistan Response '
'Route (ARR) for resettlement',
'Public apology by Defence Secretary John '
'Healey'],
'remediation_measures': ['Introduction of a dedicated, secure '
'casework system for Afghan '
'resettlement',
'Improvements in data handling '
'processes across MoD']},
'stakeholder_advisories': ['Parliamentary scrutiny',
'Public Accounts Committee recommendations',
"Information Commissioner's Office (ICO) "
'involvement'],
'title': 'UK Ministry of Defence (MoD) Afghan Relocation Data Breach '
'(2022-2023)',
'type': ['Data Breach', 'Unauthorized Disclosure', 'Improper Data Handling'],
'vulnerability_exploited': ['Use of inappropriate systems (Excel) for '
'sensitive data',
'Lack of data encryption',
'Poor data handling processes',
'Inadequate employee training']}