The Ministry of Defence (MoD) has admitted there have been more than 12 times as many data breaches linked to its Afghan Relocations and Assistance Policy (Arap) programme than previously thought.
Until now, a total of four breaches were known to have hit Arap, a scheme established back in April 2021 to bring Afghan citizens at risk of Taliban persecution to safety in the UK. However, according to Freedom of Information (FoI) figures released to the BBC, the true number is actually 49.
According to the BBC, the MoD declined to comment on the precise nature of any of the other breaches.
Two of the known breaches relate to failings around email security hygiene and collectively affected about 300 individuals. The more significant of the two resulted in the imposition of a £350,000 fine on the MoD by the Information Commissioner’s Office (ICO) – a move considered out-of-step with the regulator’s usual policy of not fining government bodies involved in incidents.
Then, in July 2025, far more serious data protection failings at the MoD emerged when it was revealed that the data of almost 19,000 asylum seekers had been released in error by a staffer. This only came out after the lifting of a superinjunction preventing the media from reporting on the data breach.
Earlier in August, it was also revealed that a third-party services provider working with the MoD at Stansted Airport suffered a cyber attack that compromised the data of 3,700 people including some associated with Arap.
Speaking to the BBC, Barings Law head of data protection Adnan Malik – whose firm is already representing over 1,000 Afghan claimants who had their data leaked in prior breaches, described how an apparently isolated incident was now growing into a series of “catastrophic failings”.
Malik called for the MoD to be fully transparent going forward, saying victims should not be finding out the truth from lawyers or journalists.
ESET global cyber security advisor Jake Moore said that in general, human error is still a weak point in data protection, with a great many breaches caused by wrongly-sent emails or missed security checks.
“But when the data includes highly sensitive information, the threat level dramatically increases,” said Moore. “Sensitive data should always require stricter protection through encryption and extra human checks, especially when lives are at risk.
“Repeated incidents not only rub salt into the wound but show systemic weaknesses meaning security needs to be improved in organisational culture. Confidence in security can easily be lost and in this case the leaks threatened not only privacy but people’s safety,” he added.
The MoD told the BBC it took data security “extremely seriously” and that the department was committed to making sure incidents were dealt with in accordance with the law, including referral to the ICO if an incident meets the relevant thresholds.
MoD beefing up data protection with AI-backed tech
Earlier in August, the MoD appointed Australian cyber security scaleup Castlepoint Systems to deploy an AI platform to manage its data protection practice.
Castlepoint’s proprietary, explainable AI model manages structured and unstructured data, enables automated records management, discovery, privacy and security, and helps ensure regulatory compliance.
Castlepoint says its technology can sift through vast datasets, the scale of which would rapidly overwhelm a human, identify their contents, and apply the correct security measures to them.
Source link
