Ministry of Defence (MoD) Afghan Data Breaches


In 2021, The Ministry of Defence (MoD) experienced two shocking data breaches that put Afghans and their families at risk. This page explains how the MoD data breaches happened. 

MOD Afghan data breaches

In 2021, The Ministry of Defence (MoD) experienced two shocking data breaches that put Afghans and their families at risk.

In August 2021, the Taliban took control of Afghanistan following the withdrawal of UK and US troops. In response, thousands of people scrambled to flee the country in fear.

Many of those attempting to leave Afghanistan worked alongside the British Government and the British Army during the Afghanistan conflict. The Taliban was reportedly searching for these people to punish them. The Taliban had also threatened to prosecute, interrogate, and punish family members on behalf of individuals who did not give themselves up.

The Afghan Relocations Assistance Policy (ARAP) was the MoD team charged with the evacuation operation of Afghans who had helped the UK.

However, despite promises about safety, ARAP mistakenly copied over 250 Afghan interpreters into an email asking for an update on their situation. Email addresses were exposed in this data privacy violation, and some photographs of the interpreters. This potentially catastrophic data protection breach exposed those who worked against the Taliban and could have put the lives of these Afghan interpreters and their families at risk. 

To make matters worse, just days later, ARAP caused a second data breach compromising the safety of more Afghans who may have been eligible to relocate to the UK. Dozens of people applying to enter the UK were mistakenly ccd into an email, meaning that their email addresses were visible to all the recipients. The names of over 50 of the recipients were also exposed. At least one of the recipients was from the Afghan National Army.

Not using the bcc functionality when sending to multiple recipients is a common data privacy mistake- and one that an organisation like the MoD should have processes in place to prevent. 

These were not the only Data Protection Act failures by the MOD that year. Only a few months earlier, a member of the public discovered sensitive documents containing details about HMS Defender and the British military at a bus stop in Kent.

Thoughts from a data protection expert

Commenting on the privacy failures, Kingsley Hayes, our Head of Privacy & Data Litigation, said:

“Not using the bcc functionality when sending an email to multiple recipients is a common data privacy mistake and one that an organisation like the MoD should easily be able to prevent with the proper training and processes.

“With two remarkably similar data violations happening within days, serious questions must be asked about how such breaches are allowed to happen.

“While the immediate priority must be to secure the safety of those put at risk by the MoD’s failures, those responsible must ultimately be held to account. Lives have been put at risk by such staggering incompetence and this is simply unforgivable.”

Cross-party condemnation following the MOD Afghan data breaches

The MoD faced universal condemnation for putting vulnerable people at serious risk. 

Former defence minister Johnny Mercer tweeted that the MoD and the Home Office had been “criminally negligent“. Liberal Democrat defence spokesman Jamie Stone said the breach was “shocking and truly a betrayal“. Speaking to the media, John Healey, Labour’s Shadow Defence Secretary, said, “this breach has needlessly put lives at risk”.

Your questions answered

See our answers to the questions we were asked about the MoD data breaches 

How did the Afghan interpreter data breach happen?

The data privacy failure occurred when over 250 people seeking relocation to the UK were mistakenly copied into an email from the Afghan Relocations Assistance Policy (ARAP) – a team led by the Home Office and MoD – asking for an update on their situation.

What data was exposed in the breach?

Email addresses were exposed, and some of the addresses had photographs of the interpreters. 

Was my information accessed in the breach?

Those affected by the breach have been informed.