LONDON: The UK’s Ministry of Defence has admitted that 49 separate data breaches relating to Afghan relocations took place over the past four years, the BBC reported on Thursday.
The breaches occurred within the unit responsible for processing relocation claims from Afghans seeking refuge in the UK.
Of the 49 breaches, four were publicly known, including the massive 2022 leak of a spreadsheet containing the personal details of almost 19,000 people fleeing the Taliban.
That leak led to thousands of Afghans being secretly relocated to the UK, a fact that was concealed from the public for years under a gagging order lifted last month.
The latest figure of 49 breaches was revealed to the BBC through the Freedom of Information Act.
Initially, the UK’s information watchdog described the highly controversial 2022 leak as a “one-off occurrence.”
It took place “following a failure to (follow) usual checks, rather than reflecting a wider culture of non-compliance,” the watchdog claimed.
The latest figure raises concerns about a lax security culture among people working on the resettlement scheme, lawyers representing Afghans affected by the breaches said.
The MoD has not disclosed the details of each breach. However, previous incidents that were made public included officials accidentally revealing the personal details of Afghan applicants to third parties.
Barings Law is representing hundreds of Afghans affected by the major 2022 breach. The firm’s head of data protection, Adnan Malik, said: “What began as an isolated incident, which the Ministry of Defence initially sought to keep from public view, has now escalated into a series of catastrophic failings.
“We urge the Ministry of Defence to be fully transparent with both those affected and the wider public. Victims should not be forced to learn the truth through legal action or news reports.”
In the wake of the Afghanistan withdrawal, the British government established the Afghan Relocations and Assistance Policy in April 2021.
The scheme was designed to help at-risk Afghans seek refuge in the UK, specifically those with close ties to the British presence in the country during the war against the Taliban.
ARAP, which closed in July this year, was beset by constant complaints relating to data security.
More than 250 Afghans seeking relocation to Britain were mistakenly copied into an email from the MoD, putting them at risk of revenge attacks by the Taliban, the BBC reported in 2021.
The UK government at the time announced “significant remedial actions” in the wake of the incident, including a new rule that any external email required a “second set of eyes” for review for before being sent.
Yet the breaches continued, including the catastrophic 2022 leak caused by a soldier at Regent’s Park barracks, who sent a spreadsheet with what they believed to be a small number of applicants’ names to trusted Afghan contacts.
Hidden data in the spreadsheet, however, were the names, personal information and family contacts of almost 19,000 people.
Jon Baines, senior data protection specialist at law firm Mishcon de Reya, said the new figures represent a “remarkable number of data security incidents in relation to the ARAP scheme.
“It is difficult to think of any information more sensitive than that which is involved with the scheme, and it baffles me why there were not better security measures in place.”
An MoD spokesperson said: “We take data security extremely seriously and are committed to ensuring that any incidents are dealt with properly, and that we follow our legal duties.”
