Ministry of Defence permanent secretary David Williams has written to MPs detailing dozens of data breaches relating to his department’s handling of efforts to help Afghan nationals who worked for the UK government.
Williams’s letter follows an evidence session with the Public Accounts Committee last month that looked at a single data breach involving around 18,700 Afghans seeking resettlement to the UK following the return to power of the Taliban. That breach – estimated to have associated costs of at least £850m to mitigate – only became widely known in July when a super-injunction was lifted.
September’s PAC session saw Williams quizzed about other data breaches related to the efforts to help Afghans who worked for the UK government during the two-decade occupation of the nation, led by the United States in conjunction with allies.
Williams’ follow-up letter to MPs is dated 7 October but was only published by PAC last week. It lists 49 data incidents related to the Afghan Relocations and Assistance Policy – or ARAP for short – and the Afghanistan Locally Employed Staff Ex-Gratia Scheme. The super-injunction-prompting spreadsheet error, which dates back to February 2022 but was only discovered in August the following year, is one of the 49.
According to the MoD, only five of the incidents were reported to watchdog the Information Commissioner’s Office. Three incidents relate to 2021 “blind carbon copy” data breaches that the MoD was subsequently fined £350,000 over.
Williams wrote: “The data breaches reported to, and recorded by, the ICO cover three distinct types of incident: a) The February 2022 spreadsheet incident, that was subject to the super-injunction until July 2025. b) A Microsoft Forms related incident on 8 October 2021. c) A series of ‘blind carbon copy’ related incidents. Given the similarities in context between incidents, some of these were combined for reporting reasons.”
The BCC errors allowed hundreds of recipients of group messages to see who else was on the MoD’s list because the senders had failed to use their mail service’s BCC function.
Among the 44 breaches described as not having been reported to the ICO are several instances of WhatsApp messages being sent with insecure personal data; personal data being sent to the wrong recipient – in one case the Civil Service Sports and Social Club; and emails with personal data sent at the wrong classification level.
Another of the breaches involved an MODNET laptop screen being in view on a train while displaying official sensitive personal data.
Williams, who is due to step down from his role and leave the civil service in the coming weeks, said that although only a minority of the 49 incidents had been reported to the ICO, the watchdog had subsequently confirmed it is “satisfied” with the MoD’s judgement about which incidents were escalated.
In addition to the PAC’s examination, the Defence Select Committee has launched a “broad inquiry” into the February 2022 data breach that was at the heart of the super-injunction. Its call for written evidence closed on Tuesday last week. Evidence sessions are yet to be scheduled.