The Ministry of Defence admitted 49 data breaches linked to the Afghan Relocations and Assistance Policy (Arap) programme, far exceeding the four previously acknowledged. Email security failures affected about 300 people and one incident led to a £350,000 ICO fine. In July 2025 the data of almost 19,000 asylum seekers was released in error by a staffer, revealed after a superinjunction was lifted. A third-party supplier at Stansted suffered a cyber attack exposing 3,700 records, some connected to Arap. Legal representatives called the pattern catastrophic and demanded full transparency and proper victim notification. The MoD declined to detail the other breaches.
The Ministry of Defence (MoD) has admitted there have been more than 12 times as many data breaches linked to its Afghan Relocations and Assistance Policy (Arap) programme than previously thought. Until now, a total of four breaches were known to have hit Arap, a scheme established back in April 2021 to bring Afghan citizens at risk of Taliban persecution to safety in the UK. However, according to Freedom of Information (FoI) figures released to the BBC, the true number is actually 49.
According to the BBC, the MoD declined to comment on the precise nature of any of the other breaches. Two of the known breaches relate to failings around email security hygiene and collectively affected about 300 individuals. The more significant of the two resulted in the imposition of a £350,000 fine on the MoD by the Information Commissioner's Office (ICO) - a move considered out-of-step with the regulator's usual policy of not fining government bodies involved in incidents.
Then, in July 2025, far more serious data protection failings at the MoD emerged when it was revealed that the data of almost 19,000 asylum seekers had been released in error by a staffer. This only came out after the lifting of a superinjunction preventing the media from reporting on the data breach. Earlier in August, it was also revealed that a third-party services provider working with the MoD at Stansted Airport suffered a cyber attack that compromised the data of 3,700 people including some associated with Arap. Speaking to the BBC, Barings Law head of data protection Adnan Malik - whose firm is already representing over 1,000 Afghan claimants who had their data leaked in prior breaches, described how an apparently isolated incident was now growing into a series of "catastrophic failings". Malik called for the MoD to be fully transparent going forward, saying victims should not be finding out the truth from lawyers or journalists.
Collection
[
|
...
]