Almost 7,000 Afghan nationals are being relocated to the UK following a massive data breach by the British military that the government tried to keep secret with a super injunction.
The blunder exposed the personal information of close to 20,000 individuals, endangering them and their families.
The UK only informed everyone on Tuesday – three and a half years after their data was compromised.
The Ministry of Defence said the relocation costs alone will be around £850m. An internal government document from February this year said the cost could rise to £7bn, but an MOD spokesperson said that this was an outdated figure.
However, litigation against the UK arising from the mistake could add additional cost, as well as whatever the government has already spent on the super injunction.
Details about the blunder can finally be made public after a judge lifted a super injunction that had been sought by the government.
Barings Law, a law firm that is representing around 1,000 of the victims, accused the government of trying to hide the truth from the public following a lengthy legal battle.
Defence Secretary John Healey offered a “sincere apology” for the data breach in a statement to MPs in the House of Commons on Tuesday afternoon.
He said he had felt “deeply concerned about the lack of transparency” around the data breach, adding: “No government wishes to withhold information from the British public, from parliamentarians or the press in this manner.”
The disaster is thought to have been triggered by the careless handling of an email that contained a list of the names and other details of 18,714 Afghan nationals, who had been trying to apply to a British government scheme to support those who helped or worked with UK forces in Afghanistan that were fighting the Taliban between 2001 and 2021.
Afghan co-workers and their families board a plane during the Kabul airlift in August 2021. Pic: South Korean Defense Ministry/ZUMA Press Wire/Shutterstock
People gathered desperately near evacuation control checkpoints during the crisis. Pic: AP
The evacuation at Kabul airport was chaotic. Pic: AP
The collapse of the western-backed Afghan government that year, saw the Taliban return to power. The new government regards anyone who worked with British or other foreign forces during the previous two decades as a traitor.
The source said a small number of people named on the list are known to have subsequently been killed though it is not clear if this was a direct result of the data breach.
It is also not clear whether the Taliban has the list – only that the Ministry of Defence lost control of the information.
Adnan Malik, head of data protection at Barings Law, said: “This is an incredibly serious data breach, which the Ministry of Defence has repeatedly tried to hide from the British public.
“It involved the loss of personal and identifying information about Afghan nationals who have helped British forces to defeat terrorism and support security and stability in the region.
“A total of around 20,000 individuals have been affected, putting them and their loved ones at serious risk of violence from opponents and armed groups.”
The law firm is working with around 1,000 of those impacted “to pursue potential legal action”.
Read more:
British couple held in Afghanistan
ICC prosecutor calls for arrest of Taliban duo
It is thought that only a minority of the names on the list – about 10 to 15% – would have been eligible for help under the Afghan Relocation and Assistance Policy (ARAP).
The breach occurred in February 2022, when Boris Johnson was prime minister, but was only discovered by the British military in August 2023.
A super injunction – preventing the reporting of the mistake – was imposed in September of that year.
It meant the extraordinary – and costly – plan to transport thousands of Afghans to the UK took place in secret until now.
Sir Keir Starmer’s government inherited the scandal.
An internal review into the affair was launched at the start of this year by Paul Rimmer, a retired civil servant.
It played down the risk to those whose data is included in the breached dataset should it fall into the hands of the Taliban.
The review said it “is unlikely to substantially change an individual’s existing exposure given the volume of data already available”.
It also concluded that “it appears unlikely that merely being on the dataset would be grounds for targeting” and it is “therefore also unlikely that family members… will be targeted simply because the ‘principal’ appears… in the dataset”.
This is why a high court judge ruled that the super injunction could be lifted.
Mr Malik, however, said that he believes there is still a risk to those named in the breach.
“Our claimants continue to live with the fear of reprisal against them and their families, when they should have been met with gratitude and discretion for their service. We would expect substantial financial payments for each claimant in any future legal action. While this will not fully undo the harm they have been exposed to, it will enable them to move forward and rebuild their lives.”
While the Ministry of Defence’s data breach is by far the largest involving Afghan nationals, it is not the first.
Earlier this month, the MOD said Afghans impacted by a separate mistake could claim up to £4,000 in compensation four years after the incident happened.
Human error resulted in the personal information of 265 Afghans who had worked alongside British troops being shared with hundreds of others who were on the same email distribution list in September 2021.
In December 2023 the UK information commissioner fined the Ministry of Defence (MoD) £350,000 and said the “egregious” breach could have been life-threatening.