UK secretly relocates nearly 7,000 Afghans after massive MoD data breach

High Court lifts gagging order as government faces scrutiny over Afghan data leak

The UK government is secretly relocating nearly 7,000 Afghans to Britain under a classified scheme set up in response to a catastrophic Ministry of Defence (MoD) data breach, it was revealed on Tuesday, following the lifting of a superinjunction by the High Court.

The scheme, now known as the Afghan Relocation Route, was launched nine months after a British official mistakenly leaked the personal data of nearly 19,000 Afghans in February 2022.

These individuals had applied to relocate to the UK under the Afghan Relocations and Assistance Policy (Arap) following the Taliban’s takeover of Afghanistan in August 2021.

The breach, which involved names, contact details and family information of Afghan nationals – many of whom were military allies, interpreters and aid workers – only came to public knowledge this week after a High Court judge ruled the government’s gagging order should be lifted.

The UK government became aware of the leak in August 2023, when sensitive details appeared in a Facebook group.

However, the government kept both the leak and the resulting relocations hidden from the public by securing a superinjunction – an extraordinary legal tool that not only barred the media from reporting the breach but also from disclosing the existence of the injunction itself.

This unprecedented legal move created what Mr Justice Chamberlain, the High Court judge who lifted the order, described as a “scrutiny vacuum” that effectively shut down the usual mechanisms of democratic accountability.

“This super-injunction had the effect of completely shutting down the ordinary mechanisms of accountability which operate in a democracy,” the judge said.

“This led to what I describe as a ‘scrutiny vacuum’.”

In response to the breach, the government quietly launched the Afghan Relocation Route. So far, 4,500 Afghans have arrived in the UK under the initiative, with the total number expected to reach nearly 7,000 once remaining approved cases are processed.

The £400 million scheme is expected to cost up to £850 million in total. However, it is now being wound down, though the government has pledged to honour all existing relocation offers to those still in Afghanistan.

As of Tuesday, the MoD revealed that 600 Afghan soldiers and around 1,800 of their family members remain in Afghanistan and are eligible for relocation.

The government said an emails were sent to individuals whose data had been leaked, urging them to take security precautions including avoiding unknown contacts and safeguarding their digital communications.

Serious departmental error

Speaking in the House of Commons on Tuesday, defence secretary John Healey offered a “sincere apology” for the breach, which he described as a “serious departmental error” caused by a spreadsheet being emailed outside authorised government systems.

He admitted the breach was part of a series of data losses that occurred during the hasty evacuation of Kabul in 2021.

The spreadsheet reportedly contained names of Afghan allies, British MPs, senior military figures, and government officials.

Healey also said he had been prevented from speaking publicly about the breach while he was still the shadow defence secretary, due to the superinjunction.

Downing Street declined to confirm whether the unnamed official responsible for the breach faced any disciplinary action.

Barings Law, which represents around 1,000 of the victims, accused the MoD of attempting to “hide the truth from the public.” The firm is preparing potential legal action on behalf of affected individuals.

A review commissioned by the MoD concluded that while initial fears estimated up to 100,000 people might be at risk due to the leak, it is now considered “highly unlikely” that any individual was targeted solely because of the compromised data.

Nonetheless, Mr Justice Chamberlain noted in his judgment [pdf] that it was “quite possible” some of those who viewed the leaked spreadsheet in a Facebook group were Taliban infiltrators or sympathisers.

The MoD has not confirmed whether anyone has been arrested or killed as a result of the breach.

Not the first data breach

This is not the MoD’s first data protection failure involving Afghan nationals.

In September 2021, the personal details of 265 Afghan interpreters were accidentally shared with hundreds of others via an email error.

The UK Information Commissioner fined the MoD £350,000 in December 2023, calling the breach egregious and potentially life-threatening.

Earlier this month, the MoD invited victims of that breach to claim up to £4,000 in compensation, four years after the incident occurred.