Committee says MoD's poor management of personal information put lives of many thousands of Afghans at risk
The House of Commons Public Accounts Committee (PAC) last week published a strongly worded report criticising the Ministry of Defence (MoD) for its handling of the major data breach that exposed thousands of Afghan citizens to potential Taliban reprisals.
Image credit: Wikipedia You can download the 25-page report here or read it online here.
The Committee found that the MoD knew its systems for managing sensitive information were inadequate when it set up the Afghan Relocations and Assistance Policy (ARAP) in 2021, yet it did not act sufficiently to improve its processes, culture or safeguards.
The data breach, which occurred in February 2022 but was not discovered until August 2023, involved a spreadsheet containing detailed personal information on 18,700 applicants to the ARAP and an earlier scheme being emailed outside the Department. As a result of the breach, the Afghanistan Response Route (ARR) was set up to relocate those put at particular risk.
In its report, the Committee notes that the MoD was relying on Excel spreadsheets stored on a SharePoint site rather than a casework system suited for handling thousands of sensitive records, despite escalating security threats in Afghanistan and prior data breaches in 2021. By August 2025, a total of 49 breaches had occurred within the unit handling Afghan applications to relocate to the UK, seven of which met the reporting threshold for the Information Commissioner's Office.
The PAC states bluntly: "The Department's poor management of personal information put the lives of many thousands of Afghans at risk." Over 27,000 Afghans could be resettled in the UK due to the risks from the 2022 breach. The report explains:
7. At the end of July 2025, the Department estimated that it would resettle 7,355 people through the ARR scheme as a direct result of the February 2022 data breach. This included 1,531 ‘principals’ (initial applicants) and their family members. A further estimated 16,108 people who were affected by the data breach were eligible to be resettled through the ARAP scheme because they or a family member worked with the UK government in Afghanistan in exposed or meaningful roles. The Department is also reviewing some rejected applications from people in the Afghanistan special forces, and it estimated that these applications could result in a total of up to 27,278 people affected by the data breach being resettled in the UK.
8. We asked the Department how it obtained assurance that those put at the highest risk from the data breach were identified and contacted. The Department told us that it undertook a risk assessment almost immediately after the breach was discovered, to understand which individuals were at highest risk, what that risk was and what the Department could do to mitigate it. The Department said that this was a difficult exercise which took many months because of the way the data were stored in the spreadsheet. The Department told us that there are a “handful” of principal applicants whom it has not yet contacted. The Department said this was because identifying people in Afghanistan is not straightforward and that, once it had identified an individual, it was difficult to make contact because some of the contact details that the Department holds are out of date.
9. We asked the Department how confident it was that it would be able to resettle all those individuals, and how long it would take. The Department said that the estimate of 7,355 was a “maximalist projection” because it expected that around 80% of eligible principals would take up the offer of resettlement. The Department said that it would be some years before all eligible individuals who accept the offer of resettlement were relocated to the UK. According to Home Office immigration statistics published in August 2025, 3,383 people had arrived in the UK under the ARR by June 2025.
The Committee concluded that the MoD "fell below the standards that the public and Parliament should expect" and called for a full account of actions now being taken to prevent further incidents. The MoD introduced a new Defence Afghan Casework System (DACS) in May 2022, and the Committee has asked for confirmation that all Afghan resettlement schemes are now handled through this system. The Committee also asked the MoD to provide six-monthly updates on resettlement activity through the ARR.
The report further criticises the MoD for failing to establish a clear method for identifying and accounting for the costs of the ARR scheme, which was created as a direct consequence of the breach. The Department currently estimates the ARR's cost at approximately £850 million, excluding legal expenses and potential future compensation claims. The PAC said it has not seen sufficient evidence to give the National Audit Office (NAO) confidence in this figure.
Sir Geoffrey Clifton-Brown, Chair of the PAC, commented that the report's findings set out a "farrago of errors and missteps" and criticised the MoD's continuing weaknesses in preventing data breaches. He said: "I take no pleasure as Chair of this Committee in stating now that we lack confidence in the MoD's current ability to prevent such an incident happening again."