A data breach which may have put up to 100,000 people at risk of death or serious harm from the Taliban can now be reported more than three years after it took place. The incident involved the personal information of nearly 19,000 people who applied for the Afghan Relocations and Assistance Policy (Arap) being accidentally emailed outside secure government systems.
The breach occurred on 22 February 2022 when a UK Government worker mistakenly sent a dataset containing sensitive information whilst attempting to verify data. He believed the dataset contained around 150 rows of information, but it actually contained around 33,000 entries.
Facebook post sparks alarm
The security incident remained hidden until 14 August 2023, when an anonymous Facebook user posted a small excerpt of the dataset on the social media platform. The Ministry of Defence (MoD) was immediately notified, and around 1,800 Arap applicants in Pakistan received WhatsApp warnings from UK officials about the potential breach.
The following day, James Heappey, then armed forces minister, received an email warning from a civilian volunteer who assists Arap applicants. The volunteer warned that "the Taliban may well now have a 33,000 long kill list - essentially provided to them by the UK government" and added that "if any of these families are murdered, the government will be liable".
Unprecedented legal action
The incident was reported to the Information Commissioner's Office and Metropolitan Police on 16 August. When journalists from the Daily Mail and The News Agents podcast contacted government departments about the story, both agreed not to publish until protective measures could be implemented.
Then defence secretary Ben Wallace personally decided to seek a court order on 25 August. On 1 September, the MoD successfully obtained a superinjunction from the High Court - the first of its kind made "against the world" rather than named individuals.
Compensation plans emerge
Head media judge Mr Justice Nicklin described the superinjunction as "wholly exceptional" and said it "must be kept under active review by the court". Cabinet committee meetings in November 2023 revealed plans for a compensation scheme costing between £120 million and £350 million, not including administration costs.
The government also established the Afghanistan Response Route (ARR) for around 200 people and their dependents considered at highest risk following the breach. However, internal documents later suggested this scheme could cost around £7 billion and extend for five years.
Court battles continue
Throughout 2024, judges repeatedly extended the superinjunction despite concerns about government secrecy. Mr Justice Chamberlain noted it was "fundamentally objectionable" that decisions about thousands of lives and billions of taxpayers' money were being taken without parliamentary or media scrutiny.
Court of Appeal judges later revealed the true scale of the risk, stating that "the total numbers of people who would be exposed to a risk of death or serious harm if the Taliban obtained the data is between 80,000 and 100,000". This figure includes family members of those directly named in the dataset.
Government changes course
Following Labour's election victory on 4 July 2024, the new government began reviewing the response. An independent review by retired civil servant Paul Rimmer concluded that the data breach was "unlikely to profoundly change the existing risk profile" of those named.
The review also suggested the government may have "inadvertently added more value to the dataset" by seeking the unprecedented superinjunction and implementing a bespoke resettlement scheme. The Defence Secretary subsequently decided to close the Afghanistan Response Route.
Legal action looms
A Manchester-based law firm told the High Court in May that it has more than 600 potential clients who may sue the government under data protection laws. Government lawyers acknowledged that with the closure of the Afghanistan Response Route, the superinjunction "should no longer continue".
Mr Justice Chamberlain finally lifted the superinjunction on 15 July, allowing the data breach to be reported publicly for the first time. The incident represents one of the most significant government data breaches in recent years, with implications for thousands of Afghan nationals and their families.
(PA) Note: This article has been edited with the help of Artificial Intelligence.
