They assisted British forces during conflict. They risked repercussions for themselves and their families. And they were hoping to relocate to the UK, fearing Taliban reprisals in their homeland. Now, Afghan nationals are facing potentially lethal consequences following a data breach at the Ministry of Defence (MoD).

The data included the names and email addresses of thousands of Afghan nationals who helped our military efforts during the decades-long occupation of the country. In return they were granted anonymity to protect them from, among others, the Taliban regime, which returned to power in 2021.

Those aiding the British efforts were doing so under the Afghan Relocation and Assistance Policy (ARAP), which would help them to start new lives on these shores.

But their lives are now at risk of reprisals from what is now the government in their home country. An MoD spreadsheet containing personal data is was found to have been emailed outside the department, which led to it being released on social media platforms. That meant that those who assisted the allies during the conflict and were promised protection had, through no fault of their own, their names (and those of their families), email addresses, role in the Afghan army, MoD references and more published online.

The blunder has led to the possibility that, counting family members of those involved, up to 100,000 lives have been endangered. It’s believed that the Taliban – and those sympathetic to their cause – continue to target those who assisted the British, with imprisonment, torture and killings continuing to be reported.

It’s believed that approximately 19,000 applicants who had planned to flee Afghanistan under the ARAP scheme and build a new, safer, life in Britain are affected by the leak, which occurred in 2022 but went undetected for months, until sections of the spreadsheet were shared on Facebook in August 2023. After an investigation into the mistake, it was decided that ARAP had failed to take the necessary steps to protect the highly-sensitive information with which they had been entrusted.

When the leak was discovered the MoD applied – successfully – to the High Court for an injunction to prevent any reporting of the data breach. That injunction, and the ban on reporting, was lifted in July 2025, after which Defence Secretary John Healey issued a “sincere apology on behalf of the British government” in an address in Parliament. This was echoed by Shadow Defence Secretary James Cartlidge, whose apology was delivered on behalf of the previous, Conservative, government, which had been in power at the time of the leak and during its discovery.

Sadly, this isn’t the first time that the MoD’s data security failures have come under fire from – and fined by – the Information Commissioner’s Office (ICO). Previous incidents include the release of the email addresses of hundreds of nationals fleeing Afghanistan and the exposure of details of hundreds more going through the process of relocating to the UK.

In all, it’s believed that there were almost 50 data breaches at the department over a four-year period.