UK Government to Relocate Thousands of Afghans After Secret MoD Data Breach

The UK government is relocating nearly 7,000 Afghan nationals after a major data breach by the Ministry of Defence exposed the personal details of around 20,000 individuals.

According to media reports, the breach occurred in early 2022, but remained secret under a superinjunction until this week when the government only notified those affected . The list included Afghans who had applied for UK support due to their work with British forces during the conflict in Afghanistan. 

Relocation Programme

The relocation programme, which covers 6,900 people named on the list and their dependents, adds to the 18,500 already moved to the UK under existing Afghan resettlement schemes. A further 5,400 individuals are expected to arrive in the coming weeks, bringing the total number of relocated individuals affected by the breach to 23,900.

The incident reportedly originated from the careless handling of an email in February 2022, which revealed the identities of nearly 19,000 Afghan nationals applying for UK relocation.

Although the MoD lost control of the data, it remains unclear whether the Taliban accessed the list. A few named individuals are known to have since been killed, though any direct link to the breach is uncertain. A government-commissioned internal review downplayed the risks, saying inclusion on the list alone was unlikely to lead to targeting by the Taliban.

Barings Law, representing around 1,000 victims, criticised the government’s secrecy and indicated it will pursue legal action. The cost of the relocation programme, litigation, and other support could reach £6 billion, with internal estimates suggesting it might eventually rise to £7 billion. This is not the first such incident involving Afghan nationals—an earlier MoD breach in 2021 led to a £350,000 fine and limited compensation, highlighting ongoing issues in safeguarding sensitive data within the department.

Dr Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS), said: “This is a fairly unique and remarkably sad example of how a single data breach may pose a real threat to thousands of human lives. Whilst some cybersecurity vendors tend to exaggerate both the amplitude and consequences of data breaches, sometimes really nasty things happen, as tellingly evidenced by this case.

“The question here is who will be accountable and financially liable for the consequences of this cybersecurity disaster? Given that full technical details of the breach are currently unknown, it would be premature to make conclusions, however, such major incidents rarely, if ever, occur without implication of third-party’s negligence, for example, of an IT or even cybersecurity vendor.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.