MoD Staff Ignored Warnings on Data Security Before Afghan Leak

Fri Oct 24 2025 16:55:43 GMT+0300 (Eastern European Summer Time)

A recent report reveals that UK Ministry of Defence staff were cautioned against sharing sensitive data prior to a significant leak involving the details of nearly 19,000 Afghan asylum seekers.

Documents from the UK's Information Commissioner's Office (ICO) indicate that Ministry of Defence (MoD) staff were warned not to share data containing hidden information before a major leak occurred. The leak, which involved sensitive details of approximately 19,000 Afghan individuals seeking sanctuary in the UK, raises questions about the effectiveness of data security measures within the MoD. ICO staff expressed concern over the lack of fines imposed on the MoD, highlighting a perceived failure to adequately address the security risks associated with data handling. The government has projected potential costs from this incident at around £850 million.

Ministry of Defence staff were warned before the Afghan data leak not to share information containing hidden tabs, according to documents released by the UK's data regulator.

Last month it emerged that the details of almost 19,000 people who had applied to move to the UK were leaked when an official emailed a spreadsheet that contained a hidden tab with the information.

Documents released by the Information Commissioner's Office (ICO) also show that staff there raised concerns about why the body had not issued a fine to the MoD.

The MoD said they had worked to improve data security, but an ICO spokesperson said the government had not yet done enough to learn the lessons.

According to an ICO memo, guidance in place at the time of the leak showed that the MoD was aware of the risks of sharing data and explicitly referenced the need to remove hidden data from datasets.

Hidden tabs are a common feature in spreadsheet software and make information invisible to the user but still easily accessible if the settings are changed.

The government estimates that the 2022 leak, which led to an emergency resettlement scheme for people at risk of Taliban persecution, will eventually cost around £850 million.

A super-injunction granted by the High Court in September 2023 prevented the incident from being reported for almost two years, before the order was lifted last month.

Following the MoD's notification to the ICO about the data breach in 2023, both parties engaged in secret meetings over the next two years. The ICO later published documents detailing these discussions, including comments from officials who described the leak as likely the most expensive email ever sent.

ICO staff privately discussed the reputational risk of not taking action against the MoD, contrasting it with a £350,000 fine levied against the department for a smaller Afghan data breach in 2023.

Ultimately, the ICO decided not to impose a fine on the MoD, citing the desire to avoid additional costs to the taxpayer. Discussion of the delay in decision-making around investigations suggest internal pressures and uncertainties.

The ICO has insisted it is focused on ensuring such breaches are addressed and lessons learned, but ongoing concerns indicate a need for further improvements in government data handling practices.