Afghan data breach: MoD has not done enough to stop future similar incident, PAC warns

- Verdict delivered on govt's failure to enable effective Parliamentary scrutiny of data loss

- Ministry of Defence's (MoD) failure to learn lessons from past breaches resulted in breach putting many thousands of lives at risk 

The Public Accounts Committee (PAC) is not confident that the MoD has done enough to reduce the risk of future incidents like the 2022 Afghan data breach. In a new report, the PAC has delivered its verdict on the MoD's actions relating to the breach, which put many thousands of Afghans at risk of reprisal from the Taliban, at a financial cost to the taxpayer that is still not fully known but is currently estimated at c.£850m (excluding legal and potential compensation costs).

The report finds that in setting up the Afghan Relocations and Assistance Policy (ARAP) to help Afghan citizens who were at risk because of their work with UK forces, the MoD knew the risks in how it was managing data on the scheme. Adequate systems were not in place to manage high volumes of sensitive personal information. MoD neither did enough to improve its processes, guidance and culture in response to this risk, nor to learn lessons from multiple data breaches over successive years. It was disclosed in August '25 that there were 49 separate data breaches at the unit handling applications from Afghan citizens to relocate to the UK.

The MoD has fallen below the standards that the public and Parliament should expect in the handling of sensitive personal information, and the PAC's report calls for a full list of actions it is now taking to prevent future data breaches. The report makes clear the lack of appropriate systems and controls in place in the MoD to manage personal data in a high-risk environment at the time of the breach. Instead of a casework system specifically designed to process high volumes of personal data, the MoD was inappropriately relying on Excel spreadsheets stored on a SharePoint site, amidst a rapidly deteriorating security situation in Afghanistan. This contributed to the 2022 breach, and the MoD must now confirm to the PAC that it is using a new casework system to manage all Afghan resettlement schemes.

Following the breach, the report finds the MoD has not accurately identified and accounted for the cost of the Afghan Response Route (ARR), the resettlement programme put in place as a direct result of the breach. The MoD estimates that the ARR will cost around £850m in total, but the report notes this does not include legal costs or the potential cost of future compensation claims. MoD estimates that up to 27,278 people affected by the breach could be resettled in the UK; 3,383 people had arrived in the UK under the ARR by June 2025, according to Home Office data.

The PAC has asked for a six-monthly update on resettlement activity through the ARR, as well as for assurance that costs relating to the scheme will be captured accurately.

The report further lays out in detail the events behind MoD's failure in its responsibility to enable effective scrutiny by not informing the Public Accounts Committee or the National Audit Office's (NAO) Comptroller & Auditor General (C&AG) about the data loss. An audit director at the NAO was told by MoD that there was a secret matter relating to a data breach that could not be shared, without any detail of the operational consequences, number of people affected, or likely cost. The director was told that they could not pass on this information to anyone else within NAO, which meant it was unable to do its job in supporting the C&AG to provide assurance to Parliament on the MoD's use of public money.

As a result, the report tells the MoD it should come to an agreement with the PAC and C&AG on how it will ensure they have sufficient and timely information to enable them to undertake their roles in the context of any similar situations in the future. The PAC's inquiry heard that a proposal for a Parliamentary oversight committee looking at more sensitive aspects of defence work, particularly defence and the nuclear enterprise, was being considered at the highest level within government.  In the opinion of the PAC, this matter is moving far too slowly.

Sir Geoffrey Clifton-Brown MP, Chair of the Public Accounts Committee, said: “It is the duty of this Committee to report on the farrago of errors and missteps that led to, and followed, the Afghan data breach. The Ministry of Defence knew what it was doing - it knew the risks of using inadequate systems to handle sensitive personal information as the security environment in Afghanistan deteriorated. Indeed, data breaches occurred in 2021 which were sufficiently serious to have to be reported to the Information Commissioner's Office, giving a warning which MoD should have taken steps to heed. These risks crystallised into dozens of data breaches over years, and ultimately resulted in the 2022 breach, presenting a grave risk to thousands of lives and a cost to the taxpayer running into hundreds of millions of pounds, at least. I take no pleasure as Chair of this Committee in stating now that we lack confidence in the MoD's current ability to prevent such an incident happening again.

“We have now taken evidence from the MoD on what happened, and other Parliamentary Committees are also scrutinising the incident. But raking through such details after the fact is of course not how Parliamentary scrutiny ought to function. Our inquiry has established the chain of events which led to the PAC and the National Audit Office being blocked from doing its work on behalf of the taxpayer. The frankly chaotic decision to tell a single director within the NAO that there was a secret matter that could not be shared, without informing the leadership of the NAO itself, is emblematic of the quality of the MoD's decision-making.

“The MoD's outgoing Permanent Secretary told our inquiry that this period of secrecy in how taxpayers' money was being spent had been “deeply uncomfortable” for him. That is just as it should be, and we are glad to hear it - but as a consequence of elected representatives being prevented from holding government to account, it is not nearly sufficient, and he should never have been put in such a position by his minister. This Committee will continue to seek formal arrangements to allow proper scrutiny of sensitive defence spending, in order that no Permanent Secretary will ever have to face this type of situation again.”

Notes to editors

Alongside the Committee's report, the Chair of the PAC has also written to the Permanent Secretary of the Ministry of Defence expressing disappointment at how frequently the MoD has failed to provide information requested or required to be notified to the PAC within reasonable timescales or by pre-agreed deadlines – that letter is attached to the release.

PAC report conclusions and recommendations 

The Department's poor management of personal information put the lives of many thousands of Afghans at risk. A significant data breach occurred in February 2022 which has led to an estimated 7,355 people becoming eligible to be resettled in the UK through the ARR. The Department set up this scheme to relocate those who were at high risk of being targeted by the Taliban because their personal information was included in the data breach, and their family members. An estimated further 16,108 people affected by the data breach were already eligible to be resettled through the ARAP because they or a family member worked with the UK government in Afghanistan in exposed or meaningful roles. In total, the Department has estimated that up to 27,278 people affected by the data breach could be resettled in the UK. According to Home Office immigration statistics published in August 2025, 3,383 people had arrived in the UK under the ARR by June 2025.

Recommendation 1. The Department should write to the Committee by March 2026 and every six months to provide an update on resettlement activity through the ARR.

The Department did not have appropriate systems and controls in place at the time of the February 2022 breach to manage personal data in a high-risk environment. The Department did not use a caseworking system designed to hold and process high volumes of sensitive personal information relating to the government's Afghan resettlement schemes until May 2022, when it introduced the Defence Afghan Casework System. Instead, the Department relied on Excel spreadsheets stored in a Sharepoint site, which was neither appropriate nor adequate for handling thousands of lines of personal data. The Department was still managing its data in this way when it launched the ARAP in April 2021, amidst a rapidly deteriorating security situation in Afghanistan. The manner in which the Department was storing and accessing this data contributed to the February 2022 data breach. This is because the individual who sent the email inadvertently shared data on 18,700 people without knowing it was included in the spreadsheet. They thought they were sharing only information relating to 150 people, for a legitimate purpose to gather information about applicants' eligibility.

Recommendation 2. The Department should provide confirmation to the Committee that it is now managing all Afghan resettlement schemes through its new caseworking system and provide us with assurance that this would prevent a recurrence of the February 2022 breach or similar.

The Department did not do enough to learn the lessons from previous data breaches. Before the February 2022 data breach, the Department had policies in place to protect against the loss of personal information. After three separate data breaches in autumn 2021 relating to the ARAP, the Department reviewed its data protection policies and guidance, and it worked with the Information Commissioner's Office (ICO) to make targeted improvements to prevent similar incidents from recurring. Despite this, the Department continued to experience data breaches, including the significant data breach in February 2022. In August 2025, the Department disclosed that there had been 49 separate data breaches to date at the unit handling applications from Afghan citizens to relocate to the UK, seven of which met the threshold for disclosure to the ICO. The Department continues to work to reduce the risk of further data breaches, but it has not given us confidence that sufficient action has yet been taken.

Recommendation 3. Alongside its Treasury Minute response, the Department should write to the Committee to provide details of:

1. a) its policies, processes and guidance to prevent data protection breaches relating to personal information;
2. b) how the Department assures itself that these are being followed, including the level of attendance at related mandatory training; and
3. c) the changes to policies, processes and guidance the Department has made in response to previous data breaches.

The Department failed in its responsibility to enable effective scrutiny by the Public Accounts Committee and the National Audit Office.  Ministers decided who should be informed about, or 'read in to', the super-injunction, balancing the need to know against further increasing the risk to the lives of those affected.  The data loss was not publicly disclosed in the House of Commons, nor reported in the Department's Annual Report and Accounts for 2023-24. Nor did the Department inform the Chair of the Public Accounts Committee or the Comptroller and Auditor General in confidence.  The Department's Permanent Secretary told us that, from an accounting officer perspective, the period in question had been "deeply uncomfortable". The Department did brief the NAO audit director at the time of auditing the 2023-24 accounts that there was a secret matter that could not be shared, and it meant there was a data breach that had not been included in the governance statement in the accounts. There was no briefing of the NAO about the operational consequences, the number of people affected, or the likely cost. The audit director was told that they could not pass on any information to anyone else at the NAO.  This was not sufficient to enable the NAO to do its job, which is to support the C&AG to provide assurance to Parliament on the Department's use of public money.

Recommendation 4.

1. a) The Department should agree with the Committee and the Comptroller and Auditor General how it will ensure they have sufficient and timely information to enable them to undertake their roles in the context of any similar situations in the future.
2. b) The Treasury Officer of Accounts should issue new guidance on how Accounting Officers should act in the event of super-injunctions.

The Department did not put in place a mechanism to accurately identify and account for the costs of resettling individuals who were at high risk due to the data breach.  The Department accounted for the costs of the ARR within its total spending on Afghan resettlement schemes, rather than identifying them separately, arguing that this was necessary to avoid breaching the terms of super-injunction. The Department now acknowledges that it could, in anticipation of the super-injunction being lifted and the resulting parliamentary scrutiny, have accounted for the costs of the ARR separately. Many elements of the ARR and the pre-existing ARAP, such as flights and accommodation, were the same and so it should have been perfectly possible for the Department to determine the costs of each scheme. The Department estimates that the ARR scheme - the additional programme put in place as a direct result of the data breach - will cost around £850 million in total, with around £400 million spent by July 2025. This estimate does not include legal costs, or the potential cost of future compensation claims against the Department from affected individuals. The Department has so far been unable to provided sufficient evidence to give the NAO confidence in its estimate. The Department anticipates being able to give the NAO more detailed information on costs as part of its next report on the Afghanistan resettlement schemes overall.

Recommendation 5. In its Treasury Minute response to this report, the Department should explain how it is ensuring that the resettlement costs related to the ARR are now being captured separately and accurately in its accounting system.