UK Government data breach led to risk of death to 100,000 Afghanis and an extraordinary Government response (or cover up) potentially costing 7 billion pounds
July 16, 2025 |
That data breaches cause damage is trite. The damage may be economic or psychological. It can also be life threatening as the Times story Revealed: Leak that risked lives of 100,000 Afghans — and £7bn cover-up makes clear. As does the BBC report Thousands of Afghans were moved to UK in secret scheme after data breach. A data breach by a British official at the Ministry of Defence in February 2022 resulted in the personal details of 19,000 people who applied to move to the UK after the Taliban took over were leaked. That prompted a resettlement scheme which has resulted in 4,500 Afghans moving to UK so far. So far, so bad.
What is very interesting to legal practitioners is that the Government sought and obtained a super injunction which involved a gag order relating to the data breach and its contents. It was the first time the Government sought a super injunction and it was the longest ever granted.That was lifted yesterday in Ministry of Defence v Global Media and Entertainment Ltd & ors [2025] EWHC 1806.
In reviewing and ultimately lifting the gag order teh court made the following points regarding the grant and continuation of a super injunction:
- the grant of a super-injunction in the circumstances of this case gave rise to serious free speech concerns [10]
- a super-injunction had the effect of completely shutting down the ordinary mechanisms of accountability which operate in a democracy. This led to what I described as a “scrutiny vacuum” [10].
- there was real uncertainty about the effect of the super-injunction on a much larger group affected by the disclosure of the dataset, whom the Government had decided would not be relocated or otherwise assisted [13]
- while the super-injunction was on balance likely to be having a protective effect on the relocation cohort, there was a significant chance that it was in fact endangering some of them. The effect of the super-injunction on the larger non-relocation cohort was likely to be adverse overall [16]
- copy of a review report concluded with respect to individuals whose data is included in the dataset, that acquisition of the dataset by the Taliban is “unlikely to substantially change an individual’s existing exposure given the volume of data already available”. It also includes the conclusions that “it appears unlikely that merely being on the dataset would be grounds for targeting” and it is “therefore also unlikely that family members—immediate or more distant—will be targeted simply because the ‘Principal’ appears in the… dataset” [25]
Super injunctions are a feature of privacy litigation in the United Kingdom. They are difficult to obtain and remain controversial. Given the paucity of Australian jurisprudence to date in this area they are not a feature of Australian law. That said, they are not precluded. Injunctions and suppression orders have long been a feature in blackmail cases, which are admittedly rare. The principles are longstanding. An injunction is appropriate where damages are not an adequate remedy and and interim injunction is appropriate where it would render any final award nugatory. In the privacy context what is being sought is the protection from an invasion privacy. Injunctive relief may be appropriate. it is specifically part of the legislative reform to the Privacy Act 1988 which enacted a statutory tort of serious invasion of privacy. That does not of itself suggest that super injunctions of the type present in the United Kingdom will be a feature of Australian privacy litigation.
The BBC article provides:
Thousands of Afghans have moved to the UK under a secret scheme which was set up after a British official inadvertently leaked their data, it can be revealed.
In February 2022, the personal details of nearly 19,000 people who had applied to move to the UK after the Taliban seized power in Afghanistan were leaked.
The previous government learned of the breach in August 2023 when some of the details appeared on Facebook.
A new resettlement scheme for those on the leaked list was set up nine months later, and has seen 4,500 Afghans arrive in the UK so far.
But the existence of the leak and relocations were kept secret after the government obtained a super-injunction stopping it from becoming public.
Details of the major data breach, the response and the number of Afghans granted the right to live in the UK as a result only came to light on Tuesday after a High Court judge ruled the gagging order should be lifted.
The leak contained the names, contact details and some family information of people potentially at risk of harm from the Taliban.
Downing Street would not confirm whether the official responsible for the leak had faced disciplinary action, with a spokesman saying they would not comment on individuals.
The government also revealed on Tuesday:
- The MoD believes 600 Afghan soldiers included in the leak, plus 1,800 of their family members, are still in Afghanistan
- The scheme is being closed down, but relocation offers already made to those who remain in Afghanistan will be honoured
- The secret scheme – officially called the Afghan Relocation Route – has cost £400m so far, and is expected to cost a further £400m to £450m
- The breach was committed mistakenly by an unnamed official at the MoD
- People whose details were leaked were only informed on Tuesday
Speaking in the House of Commons, Defence Secretary John Healey offered a “sincere apology” to qathose whose details had been included in the leak, which came to light when some appeared on Facebook.
He said it was as a result of a spreadsheet being emailed “outside of authorised government systems”, which he described as a “serious departmental error” – though the Metropolitan Police decided a police investigation was not necessary.
Healey said the leak was “one of many data losses” related to the Afghanistan evacuation during that period, and contained the names of senior military officials, government officials and MPs.
Conservative leader Kemi Badenoch apologised on behalf of her party.
She told LBC: “Somebody made a terrible mistake and names were put out there… and we are sorry for that. That should not happen.”
In a 2024 High Court judgement made public on Tuesday, Mr Justice Chamberlain said it was “quite possible” that some of those who saw parts of the leaked document in a Facebook group “were Taliban infiltrators or spoke about it to Taliban-aligned individuals”.
It had earlier been feared the number of people at “risk of death or serious harm” because they appeared on the list, or because their family member did, could be as high as 100,000.
However, a review of the incident carried out on behalf of the MoD found it was “highly unlikely” an individual would have been targeted solely because of the leaked data, which “may not have spread nearly as widely as initially feared”.
The MoD has declined to say how many people may have been arrested or killed as a result of the data breach.
The same review judged the secret scheme to be an “extremely significant intervention” given the “potentially limited” risk posed by the leak.
An email has been sent to those impacted by the breach, urging them to “exercise caution”, and take steps like protecting their online activities and not responding to messages from unknown contacts.
Healey said those who have been relocated to the UK have already been counted in immigration figures.
‘Unprecedented’
Tuesday’s disclosure dates back to the August 2021 withdrawal of US troops from Afghanistan, which saw the Taliban retake power and quickly surround the capital Kabul.
The leak involved the names of people who had applied for the Afghan Relocations and Assistance Policy (Arap) scheme, which the UK government set up to rapidly process applications by people who feared reprisals from the Taliban and move them to the UK.
The evacuation – which saw 36,000 Afghans moved to the UK – has already been heavily criticised in the years since it was launched, with a 2022 inquiry by the Foreign Affairs Committee finding it was a “disaster” and a “betrayal”.
When the government set up a new relocation scheme last year in response to the leak, members of the press quickly learned about the plans.
The government asked a judge to impose an injunction on the media. The court then imposed a type of order which prevented outlets from reporting any detail of the leak, or even that the injunction itself existed. Healey said he was not aware of any other similar injunctions being in place.
He told the House even he had been prevented from speaking about the breach because of the “unprecedented” injunction, after being informed while still shadow defence secretary.
Reading a summary of his judgment in court, Mr Justice Chamberlain said the gagging order had “given rise to serious free speech concerns”.
He continued: “The super-injunction had the effect of completely shutting down the ordinary mechanisms of accountability which operate in a democracy.
“This led to what I describe as a ‘scrutiny vacuum’.”
Court documents disclosed on Tuesday revealed then-Defence Secretary Ben Wallace “personally” applied for the stringent injunction in order to give the government time to do “everything it reasonably can to help those who might have been put at further risk by the data compromise”.
The injunction was extended in November 2023 on the basis the Taliban may not have been aware of the leaked data’s existence.
However, Mr Justice Chamberlain decided to lift it on the ground the MoD’s internal review found the Taliban “likely already possess the key information in the dataset” and confirmation of its existence was “unlikely” to “substantially” raise the risk” faced by those impacted.
Shadow defence secretary James Cartlidge, who was in government when the secret scheme was established, said “this data leak should never have happened and was an unacceptable breach of all relevant data protocols”.
Erin Alcock, a lawyer for the firm Leigh Day, which has assisted hundreds of Arap applicants and family members, called the breach a “catastrophic failure”.
Earlier this month, the government confirmed it had offered payouts to Afghans whose information had been compromised in a separate data breach.
The Times article provides:
The British military is responsible for a data leak that put up to 100,000 Afghans at risk of death — and successive governments have spent years fighting to keep it secret using an unprecedented superinjunction.
Some 24,000 Afghans affected by the breach have either been brought to the UK already or will be in future as part of the biggest covert evacuation operation in peacetime. Up to £7 billion of taxpayers’ money was once earmarked to handle the fallout.
John Healey, the defence secretary, said he had felt “deeply uncomfortable” about what happened and apologised on behalf of the government after senior MPs criticised the draconian gagging order.
Tan Dhesi, the Labour chairman of the defence select committee, told Times Radio the data breach and superinjunction were “an absolute mess and wholly unacceptable” as he said he was “minded” to carry out an investigation given the “serious ramifications”.
“It’s shameful, I think, that those Afghans who bravely supported our service personnel are now at risk and could be subject to reprisals or recrimination,” he said.
Mr Justice Chamberlain, the judge presiding over the case, said the “long-running and unprecedented” order had given rise to “serious free speech concerns” and had left a “scrutiny vacuum”. Handing down his judgment, he said the gagging order had the effect of “completely shutting down the ordinary mechanisms of accountability which operate in a democracy”.
UK government officials were also left exposed when in February 2022 a soldier inadvertently sent a list of tens of thousands of names to Afghans as he tried to help verify applications for sanctuary in Britain.
The database of 33,000 records was then passed on and one of the individuals who received it threatened to publish the dataset on Facebook, which it was feared would have given the Taliban what amounted to a “kill list”.
The MoD would not confirm on Tuesday night if the individual had faced disciplinary action as a result, or if anyone had been sacked.
The soldier responsible for the leak was operating under the command of General Sir Gwyn Jenkins, the current head of the navy, who was director of special forces at the time. When asked on Tuesday whether the prime minister retains full confidence in his naval chief, Sir Keir Starmer’s spokesman replied: “He does.”
A highly secretive mission, codenamed Operation Rubific, was launched to shut down the leak and stop the details of the breach becoming public.
A superinjunction — the first to be deployed by the government and the longest ever — which prevented anyone revealing even the existence of such an order, was put in place in September 2023. As it was lifted on Tuesday, after a two-year legal battle spearheaded by The Times, there were concerns in government about the risk of rioting because of the secret scheme bringing in thousands of Afghans.
At the 11th hour, The Times and other media organisations were hit with a new interim injunction that blocked the publication of sensitive information about what exactly was on the database, on the grounds of confidentiality and national security. The government argued the leaked list still posed a potential risk to Afghans.
The removal of the superinjunction followed an independent review, ordered by Healey and carried out by the retired civil servant Paul Rimmer, that concluded early concerns about the intent of the Taliban to target those on the list had “diminished”.
The review also found the superinjunction may have made matters worse by increasing the value of the dataset to the Taliban.
A lawsuit involving some 1,000 of those affected across the world is being prepared against the government and is expected to cost it at least £250 million.
The vast majority of those affected by the leak, which has been described by activists as “simply bone-chilling”, were not warned they were in danger as ministers sought to cover it up.
This is despite government fears the Taliban could suddenly come into possession of the Ministry of Defence (MoD) database, which was in the hands of at least one potential blackmailer. It included sensitive information — including email addresses and phone numbers — about individual Afghan cases, as well as email addresses belonging to UK government officials.