Almost a year after Britain's Ministry of Defence was forced to publicly acknowledge one of the worst data breaches in government history, thousands of Afghans whose personal information was exposed remain stranded under Taliban rule — and 49 of their family members and colleagues have been confirmed dead in incidents linked directly to the leak, according to research submitted to Parliament.
A BBC report published June 7, 2026, profiled an Afghan interpreter now living in north London whose brother's resettlement application has been rejected and remains under appeal. His brother is still in Afghanistan. The report marks almost one year since a superinjunction suppressing all public knowledge of the breach was lifted, and it surfaces a new obstacle: in April 2026, the MoD ended in-country assistance for movements out of Afghanistan, requiring eligible Afghans to reach a safe third country independently before their cases can be processed.
What MoD Kept Secret for More Than Three Years
In February 2022, a member of staff at UK Special Forces headquarters accidentally emailed a spreadsheet containing the names, contact details, and case information of approximately 19,000 Afghans who had applied for protection under the Afghan Relocations and Assistance Policy (ARAP) — a scheme set up the previous year to help those who had worked alongside British forces escape Taliban reprisals. The spreadsheet contained 33,000 rows of data once family members were included.
The MoD did not discover the breach until August 2023, when parts of the database appeared in a Facebook group. Rather than notifying those at risk, the government sought an unprecedented superinjunction from the UK High Court, arguing that up to 100,000 lives could be endangered if the Taliban obtained the dataset. The gagging order prevented any media reporting and barred even the parliamentary Public Accounts Committee and the National Audit Office from being informed. Victims were not told their data had been compromised until July 2025 — more than three years after the breach occurred — when the High Court finally lifted the injunction.
Afghan Resettlement: 49 Confirmed Deaths, 87 Percent of Victims Threatened
The academic study that put the human cost in numbers was conducted by the charity Refugee Legal Support in collaboration with Professor Sara de Jong of the University of York and Professor Victoria Canning of Lancaster University. Surveying 350 Afghans — 231 of whom had been officially notified by the MoD that their data was compromised — it found that 49 reported a colleague or family member had been killed as a direct result of the breach. Some 200 respondents, or 87 percent, reported experiencing personal risks or threats to their family members, ranging from home raids to extreme violence. Taliban forces had raided the homes of 105 respondents or their family members. The research was submitted as written evidence to the House of Commons Defence Select Committee.
Sir Geoffrey Clifton-Brown, chair of the Public Accounts Committee, which published a damning report on the MoD's handling of the breach in November 2025, said the department "knew what it was doing — it knew the risks of using inadequate systems to handle sensitive personal information as the security environment in Afghanistan deteriorated." The PAC concluded that it lacked confidence in the MoD's current ability to prevent a similar breach in the future.
How a Spreadsheet on SharePoint Exposed 19,000 Lives
The mechanism behind the breach was not a cyberattack. It was a structural failure of basic data governance. Rather than using a casework system designed for high-volume sensitive personal data, the MoD's ARAP team was managing thousands of records using Excel spreadsheets stored on a SharePoint site — a setup the PAC later called "inappropriate" and "neither appropriate nor adequate." A staff member emailed the spreadsheet to a recipient outside government. The data subsequently passed between individuals; one in Afghanistan eventually posted nine names on Facebook, prompting a defence caseworker to describe the risk as "bone-chilling."
The Information Commissioner's Office (ICO), which had fined the MoD £350,000 in December 2023 for a separate series of smaller 2021 email breaches that exposed 265 Afghans' contact details, chose not to formally investigate the far larger 2022 spreadsheet leak. The ICO described the 2022 breach as a "one-off occurrence" and said no further regulatory action was required. That decision drew fierce criticism from data protection specialists and human rights lawyers.
"What began as an isolated incident, which the Ministry of Defence initially sought to keep from public view, has now escalated into a series of catastrophic failings," said Adnan Malik, head of data protection at Barings Law, which represents more than a thousand Afghan claimants. A Freedom of Information request disclosed by the BBC revealed that 49 separate data breaches had occurred at the unit handling ARAP applications over four years — of which only four had previously been made public.
MoD Data Breach Taliban Risk: Families Beaten, Relatives Deported
The consequences have been documented in individual cases as well as aggregate surveys. An Afghan man who worked as an interpreter for British forces told reporters his brother — a civil engineer — was imprisoned by the Taliban and beaten until his spine was broken in three places. His brother remains in Afghanistan with no route to safety. A second case, reported by the BBC's Newsnight programme, involved a member of Afghanistan's elite "Triples" special forces, whose ARAP application had been endorsed by the MoD. While his family waited in Pakistan for a final decision, local authorities raided their hotel. His son, who escaped and spoke to the BBC, pleaded for intervention. After the interview, the father was deported back to Afghanistan.
In one of the more striking footnotes to the affair, British authorities tracked down an Afghan national who had obtained the leaked data and posted nine names on Facebook. Facing demands to remove the data, the government offered an expedited review of his previously rejected ARAP application. He is now in the UK. Government sources told the BBC the individual had effectively leveraged the dataset as a bargaining chip for entry to the country.
How Many Afghans Are Still Stranded After UK Data Breach?
According to the MoD's own estimates, reviewed by the Public Accounts Committee, up to 27,278 Afghans are eligible for resettlement in the UK as a result of the breach. That figure comprises approximately 7,355 who became eligible specifically because their data was leaked and who were previously ineligible for any other scheme, plus 16,108 who were already eligible through ARAP because they or a family member had worked with UK forces in exposed or meaningful roles. As of June 2025 — the most recent figures from the Home Office — only 3,383 people had arrived in the UK under the Afghanistan Response Route (ARR), the scheme set up in April 2024 specifically to resettle breach victims.
That leaves approximately 24,000 people still waiting. The MoD has said it expects the resettlement process to take years. The ARAP and ACRS resettlement schemes were closed to new applicants on July 1, 2025, and a December 2028 backstop is the stated outer limit for completing the programme.
The National Audit Office, in a report published in September 2025, found that the MoD had been unable to provide sufficient evidence to support its £850 million cost estimate for the ARR scheme — a figure that excludes legal costs and potential compensation payments. The PAC chair has warned that in the worst-case scenario, compensation claims alone could run into the billions.
Government Ends In-Country Support, Critics Respond
In April 2026, the MoD ended in-country assistance for moving eligible Afghans out of Afghanistan, citing evidence of successful self-moves and value-for-money considerations. Those found eligible must now reach a safe third country independently before the UK will process their cases.
A Ministry of Defence spokesperson said: "The UK has operated exceptionally generous Afghan resettlement schemes and our ambition remains to conclude it within this Parliament. However, we want to reassure eligible Afghans that once they reach a safe third country, we maintain provision of our current support until 2028."
Critics noted the incongruity of that position: the very people who need to self-move to a third country are, in many cases, in hiding from a government that has already demonstrated it can find them. Professor Sara de Jong of the Sulha Alliance, which supports Afghans who worked with the British Army, called the broader pattern of compounding failures "astonishing."
ARAP Breach: Legal Action Underway Against MoD
In December 2025, Barings Law took the first formal legal step against the MoD, submitting a letter of claim on behalf of approximately 1,000 Afghan claimants each seeking £50,000 in compensation. The firm's chairman, Robert Whitehead, stated that the firm had evidence of clients killed, extorted by the Taliban through threats against relatives, and others still in hiding in Afghanistan "living in constant fear." The MoD has said it will "robustly defend" against legal action.
Leigh Day, a second law firm, was also representing at least 70 claimants as of July 2025, estimating compensation in the thousands of pounds per person, with higher amounts likely for those still in Afghanistan. Together, the two firms' combined client pools represent just a fraction of the roughly 19,000 original data subjects, suggesting total liability could be significantly higher than any current estimate.
What UK Data Protection Law Requires After a Breach Like This
Under the UK's data protection framework — specifically the UK General Data Protection Regulation and the Data Protection Act 2018 — organisations are required to notify affected individuals without undue delay when a breach is likely to result in a high risk to their rights and freedoms. The MoD knew of the breach by August 2023. It did not notify affected individuals until July 2025: a gap of approximately 23 months. The ICO, which received notification of the breach in 2023, worked under the constraints of the superinjunction and chose not to compel earlier notification. That decision has become a subject of its own inquiry, with advocacy organizations calling for a formal review of the ICO's independence and its practice of reduced sanctions for government bodies.
The gap between the legal standard and what actually happened has a direct cost that can now be measured: 49 deaths confirmed, 87 percent of affected individuals reporting personal risk, and more than 23,000 people still waiting for resettlement more than four years after the breach that placed them in danger.
Frequently Asked Questions
How many Afghans were affected by the MoD data breach?
Approximately 19,000 Afghans who had applied for the UK's Afghan Relocations and Assistance Policy had their personal data exposed when a spreadsheet was accidentally emailed outside government in February 2022. The spreadsheet contained 33,000 rows of data including family members. The MoD has estimated that up to 27,278 people are eligible for resettlement in the UK as a result of the breach, but only 3,383 had arrived in the UK by June 2025.
Are Afghans still stranded in Afghanistan after the UK data breach?
Yes. As of the most recent Home Office statistics from June 2025, approximately 24,000 of the 27,278 people deemed eligible for UK resettlement because of the breach had not yet arrived. In April 2026, the MoD ended in-country assistance, meaning eligible Afghans must now arrange their own travel to a safe third country before the UK will process their cases.
Has the MoD been held accountable for the Afghan data breach?
The ICO fined the MoD £350,000 for a separate series of smaller 2021 email breaches involving 265 Afghans' contact details. For the far larger 2022 spreadsheet breach, which exposed approximately 19,000 people, the ICO chose not to formally investigate — a decision widely criticized by lawyers and data protection specialists. In December 2025, Barings Law filed the first formal compensation claim against the MoD on behalf of approximately 1,000 claimants seeking £50,000 each. The MoD has said it will defend the case.
What caused the MoD Afghan data breach?
The breach was not a cyberattack. A member of staff at UK Special Forces headquarters accidentally emailed a spreadsheet containing the personal details of approximately 19,000 Afghan ARAP applicants to a recipient outside government. The MoD was using Excel spreadsheets stored on SharePoint — a setup Parliament later called "inappropriate" — rather than a purpose-built secure casework system. The data passed between individuals and parts were eventually posted on Facebook in August 2023, at which point the government discovered the breach.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
