Wednesday, October 22, 2025
Latest:

Threatshub.org sponsored-Post

The Register

UK data regulator defends decision not to investigate MoD Afghan data breach

TH Author

The UK’s data protection regulator declined to launch an investigation into a leak at the Ministry of Defence that risked the lives of thousands of Afghans connected with the British Armed Forces.

The MoD was responsible for the accidental data breach, which took place in February 2022 and is likely to have cost more than £850 million. Evidence of the breach only came to light in July this year after a government superinjunction, imposed in August 2023, was lifted.

According to a report [PDF] from the National Audit Office (NAO), the MoD first became aware of the data breach in August 2023 when personal details of ten individuals from the dataset were posted to Facebook.

Speaking to MPs this week, Information Commissioner John Edwards, who oversees government data protection, said his office decided not to launch an investigation into the historic leak after meeting with MoD officials.

“During those sessions – because of the classification – no notes could be taken, so when my colleague made the decision to take no further action, and he informed me of that, we didn’t document it immediately. It was only after the superinjunction was lifted that we recorded a formal decision and put that into the system,” he said.

Appearing before the House of Commons Science, Innovation and Technology Committee, Edwards denied that the superinjunction prevented note-taking or an investigation. “It’s just that information systems make it quite difficult to store classified material and to make a meaningful decision.”

He said that after superinjunction was lifted, the Information Commissioner’s Office (ICO) – a non-departmental government body under the Department for Science, Innovation and Technology (DSIT) – reviewed the information available and decided there was no reason to impugn that original decision.

The leaked spreadsheet comprised 33,345 lines of data, including the names and contact details of applicants to the Afghan resettlement scheme —a program for those at risk of Taliban reprisal following the withdrawal of UK and US forces in August 2021. The document also included information about applicants’ family members.

According to the NAO, the official responsible believed they were sharing a limited dataset with an external party for legitimate operational purposes. However, the spreadsheet contained additional data that wasn’t immediately visible to the sender.

“It was contained in a hidden cell,” Edwards said. “The person had a legitimate need to share a limited amount of information. They accidentally shared much more than they intended to.”

Edwards told MPs the ICO decided not to investigate because it might hinder the MoD’s response.

“My office had been informed, as we would have expected, as details emerged. We were given details of how the MoD was responding and we were satisfied with the steps that they were taking. When a breach becomes known to an organization, there is an immediate need within the organization to get to the root cause and to rectify the problems, and in this case, to keep safe people that may have been affected, and this was extremely serious. For the ICO to go in and start investigating [an incident, it] can actually get in the way.”

At the time, the ICO was also responding to a separate incident that took place in September 2021. The UK’s Afghan Relocations and Assistance Policy (ARAP), the unit in charge of relocating citizens who worked for or with the UK government in Afghanistan, failed to BCC email recipients, putting Afghan interpreters at risk. It fined the department £350,000 after an investigation concluded in late 2023.

The Information Commissioner said his office did have the capability to investigate incidents involving classified information, but, in the case of the Afghan data leak, it was challenged by resources because the department does not have enough vetted staff.

“The decision was to take no further action in terms of the formal investigation. That was not a decision to do nothing,” he said.

Immediately after the superinjunction was lifted, the ICO wrote to the Cabinet Office to say a joint effort to improve public sector data protection was “not working well enough.”

In a joint committee with DSIT and the Cabinet Office, Edwards said there would be a plan to raise standards by the end of the year.

Chair Dame Chi Onwurah said the committee had invited the Chancellor of the Duchy of Lancaster, who leads the Cabinet Office, to the hearing. Another minister was supposed to attend, but that date is yet to be set.

“We are very disappointed about the government’s failure to send a minister to the session despite the long lead time and longer delay,” she said. ®

READ MORE HERE