Ministry of Defence permanent secretary David Williams has admitted feeling “deeply uncomfortable” about the veil of secrecy surrounding his department’s multi-million-pound Afghan data breach, which kept the National Audit Office in the dark for nearly two years.
Members of parliament’s Public Accounts Committee heard this week that NAO head Gareth Davies did not learn about the February 2022 data breach – which the department estimates will cost £850m to mitigate – until July this year.
The debacle saw an MoD official mistakenly share a spreadsheet containing around 18,700 names of Afghans seeking resettlement to the UK because they worked for the UK government when it was part of the US-led occupation of Afghanistan.
The named individuals had applied for schemes created ahead of 2021’s fall of Kabul, including the Afghan Relocations and Assistance Policy. The February 2022 data breach involved “hidden” details of applicants being shared along with details of around 150 highlighted applicants and prompted the creation of a new relocation scheme: the Afghan Resettlement Route.
The data error only came to light 18 months after the actual breach, when details of the full list of resettlement applicants emerged on social media. The government subsequently secured a “super-injunction” prohibiting reporting of the data breach, the ARR programme to fix it, or the existence of the injunction. The injunction was only lifted in July this year, almost two years after it was imposed.
The National Audit Office and chairs of relevant parliamentary select committees were not “read in” to the super-injunction, which was imposed two weeks after the data-breach came to light. It meant that unlike ministers, the then-shadow defence secretary John Healey, and at least one journalist, they were not aware of the injunction – and the impact on MoD finances it might have.
At Monday’s PAC session, NAO head Davies said the MoD’s sole concession to informing the public spending watchdog about the massive data breach and its potential financial implications was a single, vague briefing to a staff member. She was told that no-one else at the NAO could be informed.
Public Accounts Committee chair Sir Geoffrey Clifton-Brown said excluding the NAO head – who is tasked with signing off the MoD’s accounts – was a “very, very unsatisfactory way of dealing with matters”.
Davies told the session that the first he had known about the data breach and the super-injunction was in July this year.
“The only attempt to raise this with my staff was at the time of auditing the 2023-24 accounts,” he said. “My audit director was briefed that there was a ‘secret matter’ that couldn’t be shared, but it meant that there was a data breach that hadn’t been included in the full list in the governance statement in the accounts. There was no briefing about the operational consequences of this, the number of people affected, the likely cost. So it wasn’t really anything like an adequate briefing of the auditor.”
He said the audit director had been explicitly told that she “couldn’t tell anybody at the NAO about the detail that she had been briefed with”.
Davies told MPs that the NAO is only now able to look at whether the MoD had made adequate provision in its accounts for the full cost of the ARR – introduced as a direct result of the data breach.
An interim report from the public spending watchdog published last week said it is too early to say whether the MoD’s estimate of the £850m lifetime cost for the ARR is accurate. More than 7,000 people are being relocated under the programme.
Quizzed about the NAO head being kept in the dark about the data-breach and super-injunction, Williams said the matter had ultimately been a decision for ministers.
He told MPs that he never expected the super-injunction to be in place for as long as it was – and that the NAO head would likely have been brought on board if the real timescale had been known.
“I think, with hindsight, that it’s not sustainable to have kept the comptroller and auditor general at arm’s length for a period of two years,” Williams said. “Had we expected it to be two years when this started, I would have felt more clearly about the need to bring him in then.”
Williams told MPs that his initial expectation was that the super-injunction would be in place for a matter of weeks or months – and that he had believed it would be lifted by the end of the 2023-24 financial year. That would have allowed for the data breach and related costs to have been referenced in the MoD’s 2023-24 report and accounts.
Williams said that, instead, the MoD’s experience of the super-injunction was that it had been extended on a “rolling” basis.
He added: “Not much of the expenditure for the Afghan Response Route had been incurred in the set of accounts that we have published. There is a live conversation about liabilities and provisions. Although our ability to have reported those in the accounts, given the super-injunction, would have been limited.”
The MoD’s 2024-25 annual report and accounts is yet to be published.
“No estimate” for compensation costs
Williams began his appearance at Monday’s PAC session by making a personal apology for the data breach, on top of comments made by ministers in July.
“I deeply regret that the breach happened and that the department fell below the standards that I, you and the public might rightfully expect,” Williams said.
However, the permanent secretary subsequently told MPs that his department had yet to set aside any contingent liability for compensation to victims of the data breach.
“The government’s position is that it plans to defend compensation claims robustly in the courts,” he said. “So we will see where we come out on that.”
Last week’s interim NAO report said the cost of the MoD’s Afghan resettlement activity between 2021 and 2029 is forecast to exceed £2bn, with more than 27,000 people expected to be resettled through the ARR and ARAP schemes.
Williams suggested that the total cost to government of Afghan resettlement would be significantly higher.
“I think that what we have said is that the full cost to government overall to date, or at least the costs that will be incurred for individuals to whom offers have been made and we’ve started the process of relocation, is about £2.7bn and the full cost, overall could be around double that,” he said.
Williams subsequently added: “To clarify, that overall figure from me is a combination of the ARAP scheme, the Afghan Citizen Resettlement Scheme, that was run by the Home Office, and our Afghan Response Route.”
Williams is due to step down as MoD perm sec in the coming weeks, after four and a half years in post. A recruitment campaign for his successor is open to applications until 30 September.
Last week the Defence Select Committee launched a “broad inquiry” into the February 2022 data breach. It is open to written submissions until 14 October.