Massive Afghan data breach reveals government secrecy

The British military faces scrutiny after a catastrophic data breach exposed up to 100,000 Afghans to potential Taliban retaliation, prompting successive governments to deploy an unprecedented legal cover-up lasting nearly two years.

In February 2022, a British soldier accidentally transmitted a database containing 33,000 Afghan records to unauthorized recipients while attempting to verify sanctuary applications. The breach remained secret until August 2023, when an anonymous Afghan threatened to publish the information on Facebook.

Also read: UK defence ministry fined for Afghan data breach during ...

Taliban kill list threatens Afghan lives

The leaked database included sensitive personal information about Afghans who had applied for the UK's Afghan Relocations and Assistance Policy (Arap), along with family members' details, phone numbers, and email addresses of British government officials.

Government lawyers warned that if the Taliban obtained the dataset, as many as 100,000 Afghans would face "risk of death, torture, intimidation or harassment." The figure encompassed primary applicants and their family members, some of whom were specifically named in the compromised records.

"The fact that the Taliban may be in possession of 33,000 Arap applications, including the primary applicants' phone numbers and all the case evidence, is simply bone-chilling," wrote Person A, an activist helping Afghan refugees, in an email to then-Armed Forces Minister James Heappey.

Operation Rubific: secret evacuation mission

Following the breach discovery, the Ministry of Defence launched Operation Rubific, a covert mission to evacuate affected Afghans while preventing public disclosure. The operation included the largest peacetime covert evacuation in British history.

Defence Secretary John Healey revealed Tuesday that 18,500 Afghans affected by the breach have already been relocated to the UK, with an additional 5,400 scheduled for evacuation. The total cost of addressing the breach reached £850 million for 6,900 individuals, according to MoD figures.

Also read: UK launched secret scheme to relocate Afghans after data leak, documents show

Government superinjunction prevents media coverage

The Conservative government secured a superinjunction from the High Court on September 1, 2023, preventing any public disclosure of the breach or the court order's existence. The order remained in place for 683 days, making it the longest superinjunction in British legal history and the first sought by a government.

Labour continued advocating for the superinjunction after taking power in July 2024. Mr Justice Chamberlain criticized the order as a "wholly novel use" of superinjunctions, stating it was "fundamentally objectionable for decisions that affect the lives and safety of thousands of human beings, and involve the commitment of billions of pounds of public money, to be taken in circumstances where they are completely insulated from public debate."

£7 billion Afghan response plan approved in secret

While the superinjunction remained active, the government approved spending up to £7 billion over five years to relocate 25,000 affected Afghans under the secret Afghan Response Route (ARR) scheme. Chancellor Rachel Reeves signed off on the plan in October 2024, with the cabinet's home and economic affairs committee deeming it "appropriate."

The policy was subsequently expanded in June 2025 to include more than 42,500 individuals before an independent review questioned its necessity. Defence Secretary Healey announced Tuesday the closure of the ARR scheme, leaving thousands of affected Afghans behind.

Data breach timeline reveals government delays

The breach originated when a soldier working under General Sir Gwyn Jenkins at Regent's Park Barracks sent the database to Afghan contacts twice in February 2022. The recipients passed the information to other Afghans, with at least one copy reaching individuals in Pakistan.

The MoD remained unaware of the breach until August 14, 2023, when an anonymous Afghan posted details on a Facebook group, threatening to publish the complete dataset. Government officials immediately alerted approximately 1,800 Afghans in Pakistan about potential data compromise.

Also read: Largest population purge this decade? Iran expels half a million Afghans in rapid crackdown post-Israel wa

Independent review questions superinjunction justification

Retired civil servant Paul Rimmer's independent review, ordered by Defence Secretary Healey, concluded that early Taliban targeting concerns had "diminished" and the superinjunction may have worsened the situation by increasing the dataset's value to hostile actors.

The review noted that given existing Taliban intelligence capabilities, the dataset was "unlikely to provide considerably new or highly pertinent information." It also warned that publicity surrounding the breach revelation would "clearly be likely to attract Taliban interest in obtaining it."

Legal action threatens £250 million government payout

Manchester-based Barings Law represents approximately 1,000 breach victims preparing legal action that could cost taxpayers more than £250 million. The firm criticized the MoD's response as "wholly inadequate," particularly an email apology sent to affected individuals Tuesday morning.

"Through its careless handling of such sensitive information, the MoD has put multiple lives at risk, damaged its own reputation, and put the success of future operations in jeopardy by eroding trust in its data security measures," Barings Law stated.

Parliamentary accountability demands government transparency

Defence Secretary Healey apologized to Parliament Tuesday for the "serious departmental error," acknowledging that "full accountability to parliament and freedom of the press matter deeply to me — they're fundamental to our British way of life."

Defence Committee Chairman Tanmanjeet Singh Dhesi called the situation "a mess and wholly unacceptable," indicating potential parliamentary investigation into the breach's circumstances and government response.

The superinjunction's lifting enables public scrutiny of government decisions that affected thousands of lives and committed billions in public expenditure without democratic oversight. Many affected Afghans only learned of their exposure through government emails sent Tuesday, nearly three years after the initial breach.

Also read: Pakistan in no rush to recognise Taliban government in Afghanistan, say officials

Ongoing security concerns for Afghan refugees

Individuals in the UK and Pakistan reportedly still possess copies of the compromised database, with at least one case involving monetary exchange for the information. The MoD has implemented new security software and appointed a chief information officer to prevent future breaches.

Former British Ambassador to Afghanistan Sir William Patey described the incident as a "spectacular data breach," noting that the Taliban were already targeting individuals associated with western forces. "Providing the Taliban with a list would have made their job that much easier," he told Times Radio.

The breach highlights systemic data security failures within the Ministry of Defence, with legal experts noting it represents "just the latest in a long line of data breaches by the MoD of personal data of Afghan citizens who had previously worked with UK armed forces."