The UK Ministry of Defence (MoD) disclosed **49 data breaches** tied to its Afghan Relocations and Assistance Policy (ARAP) and related schemes, exposing sensitive personal data of Afghan nationals who worked with the UK government. The most severe incident—a **February 2022 spreadsheet error**—compromised **18,700 individuals**, with mitigation costs estimated at **£850 million**. Other breaches included **blind carbon copy (BCC) email failures** (fined £350,000 by the ICO), **WhatsApp messages with insecure personal data**, **emails sent to wrong recipients** (including non-relevant entities like a sports club), **misclassified emails**, and **a laptop screen displaying sensitive data in public**. Only **5 of 49 incidents** were reported to the ICO, though the watchdog deemed the MoD’s reporting judgment satisfactory. The breaches risked endangering Afghan allies by exposing their identities to potential Taliban retaliation, while also damaging the MoD’s reputation and operational trust.
Source: https://www.civilserviceworld.com/professions/article/mod-afghan-data-breaches-pac-letter
TPRM report: https://www.rankiteo.com/company/uk-ministry-of-defence
"id": "uk-5033050102025",
"linkid": "uk-ministry-of-defence",
"type": "Breach",
"date": "2/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '~18,700 Afghan Nationals (and '
'others in smaller breaches)',
'industry': 'Defence and National Security',
'location': 'United Kingdom',
'name': 'UK Ministry of Defence (MoD)',
'type': 'Government Department'},
{'customers_affected': '~18,700 (spreadsheet error) + '
'others in 48 additional '
'incidents',
'location': 'Afghanistan/UK',
'name': 'Afghan Relocations and Assistance Policy '
'(ARAP) Beneficiaries',
'type': 'Individuals'},
{'location': 'Afghanistan/UK',
'name': 'Afghanistan Locally Employed Staff Ex-Gratia '
'Scheme Beneficiaries',
'type': 'Individuals'}],
'attack_vector': ['Human Error (Spreadsheet Mismanagement)',
'Misconfigured Email (BCC Errors)',
'Insecure Communication (WhatsApp)',
'Physical Exposure (Laptop Screen in Public)',
'Incorrect Data Classification (Emails)'],
'data_breach': {'data_exfiltration': 'No (Unintentional Disclosure)',
'file_types_exposed': ['Spreadsheet (February 2022)',
'Emails (BCC Errors)',
'WhatsApp Messages',
'Microsoft Forms Data'],
'number_of_records_exposed': ['~18,700 (spreadsheet error)',
'Hundreds (BCC errors)',
None],
'personally_identifiable_information': ['Names',
'Contact Details',
'Relocation Status',
'Employment History '
'with UK Government'],
'sensitivity_of_data': 'High (Life-Threatening Risk for '
'Afghans)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII) of Afghan '
'Nationals',
'Email Addresses (BCC Errors)',
'Official Sensitive Personal '
'Data (Laptop Screen)']},
'date_detected': ['August 2023 (spreadsheet error from February 2022)',
'2021 (BCC incidents)',
'2021 (Microsoft Forms incident on 8 October)'],
'date_publicly_disclosed': ['July 2025 (super-injunction lifted for '
'spreadsheet error)',
'7 October 2023 (letter to MPs published by PAC)'],
'description': 'The UK Ministry of Defence (MoD) disclosed 49 data breaches '
'related to its handling of efforts to help Afghan nationals '
'who worked for the UK government. These breaches include a '
'major incident involving a spreadsheet error exposing ~18,700 '
"Afghans' data (costing £850m to mitigate), BCC email errors, "
'WhatsApp messages with insecure personal data, misdirected '
'emails, and a laptop screen displaying sensitive data in '
'public. Only five incidents were reported to the ICO, with '
"fines of £350,000 imposed for three 'blind carbon copy' "
'breaches in 2021.',
'impact': {'brand_reputation_impact': ['Severe (Public and Parliamentary '
'Scrutiny)',
'Erosion of Trust in Government Data '
'Handling'],
'data_compromised': ['Personal Data of ~18,700 Afghans '
'(spreadsheet error)',
"Email Recipients' Identities (BCC errors)",
'Sensitive Personal Data (WhatsApp, '
'misdirected emails, laptop screen)'],
'financial_loss': ['£850m (mitigation costs for spreadsheet error)',
'£350,000 (ICO fines for BCC incidents)'],
'identity_theft_risk': ['High (Exposed Afghans at Risk of Taliban '
'Retaliation)'],
'legal_liabilities': ['ICO Fines (£350,000)',
'Potential Further Legal Actions (Defence '
'Select Committee Inquiry)'],
'operational_impact': ['Reputation Damage to MoD',
'Loss of Trust Among Afghan Nationals',
'Regulatory Scrutiny (ICO, PAC, Defence '
'Select Committee)']},
'investigation_status': ['Ongoing (Defence Select Committee Inquiry)',
'PAC Review Completed (Letter Published)',
'ICO Investigation Closed (For Reported Incidents)'],
'lessons_learned': ['Need for Stricter Data Handling Protocols',
'Mandatory Training on Email/BCC Usage',
'Secure Communication Channels for Sensitive Data',
'Proactive Monitoring of Physical Data Exposure Risks'],
'motivation': 'Unintentional (Human Error)',
'post_incident_analysis': {'corrective_actions': ['ICO-Mandated Training '
'Programs',
'Policy Updates for Data '
'Classification',
'Enhanced Oversight for '
'Afghan Relocation Data'],
'root_causes': ['Lack of Data Protection Awareness',
'Inadequate Technical Safeguards '
'(e.g., BCC Enforcement)',
'Cultural Failures in Handling '
'Sensitive Data',
'Over-Reliance on Manual Processes '
'(Spreadsheets, Emails)']},
'recommendations': ['Implement Automated Redaction Tools for '
'Emails/Spreadsheets',
'Enforce Multi-Factor Authentication for Sensitive Data '
'Access',
'Regular Audits of Data Sharing Practices',
'Dark Web Monitoring for Exposed Afghan Data'],
'references': [{'date_accessed': 'September 2023',
'source': 'Public Accounts Committee (PAC) Evidence Session'},
{'date_accessed': 'October 2023',
'source': "David Williams' Letter to MPs (Published by PAC)"},
{'date_accessed': 'October 2023',
'source': 'Defence Select Committee Inquiry Announcement'},
{'date_accessed': '2023-10-16',
'source': "The Record - 'UK MoD discloses dozens of data "
"breaches in Afghan relocation blunders' (Jim "
'Dunton)',
'url': 'https://www.theregister.com/2023/10/16/uk_mod_afghan_data_breaches/'}],
'regulatory_compliance': {'fines_imposed': '£350,000 (for BCC incidents)',
'legal_actions': ['Defence Select Committee Inquiry '
'(Ongoing)',
'Public Accounts Committee (PAC) '
'Scrutiny'],
'regulations_violated': ['UK GDPR (General Data '
'Protection Regulation)',
'Data Protection Act 2018'],
'regulatory_notifications': ['5/49 Incidents '
'Reported to ICO',
'ICO Confirmed '
'Satisfaction with '
"MoD's Judgment"]},
'response': {'communication_strategy': ['Letter to MPs (7 October 2023)',
'Public Accounts Committee (PAC) '
'Disclosures',
'Defence Select Committee Inquiry'],
'containment_measures': ['Super-Injunction (Lifted in July 2025)',
'ICO Reporting for 5/49 Incidents',
'Internal Reviews'],
'incident_response_plan_activated': 'Yes (Partial; ICO satisfied '
'with escalation judgments)',
'remediation_measures': ['Mitigation Spending (£850m for '
'spreadsheet error)',
'Policy/Process Reviews (Ongoing)']},
'stakeholder_advisories': ["MPs (via David Williams' Letter)",
'Public Accounts Committee (PAC)',
'Defence Select Committee'],
'title': 'UK Ministry of Defence (MoD) Data Breaches Related to Afghan '
'Relocations and Assistance Policy (ARAP)',
'type': ['Data Breach',
'Unauthorized Disclosure',
'Human Error',
'Improper Data Handling'],
'vulnerability_exploited': ['Lack of Data Handling Training',
'Inadequate Email Security Protocols',
'Poor Access Controls for Sensitive Data',
'Improper Use of Collaboration Tools (WhatsApp, '
'Microsoft Forms)']}