The Ministry of Defence (MoD) has admitted that the scale of data breaches linked to its Afghan Relocations and Assistance Policy (Arap) programme is far larger than previously disclosed.
Newly released figures show there have been 49 breaches, more than twelve times higher than the four cases previously acknowledged.
The Arap scheme, launched in April 2021, was created to relocate Afghan citizens at risk of Taliban reprisals to safety in the UK. But repeated failures in data security have now raised serious questions about how the department has handled highly sensitive information.
Serious Incidents
Two earlier breaches involved poor email security, affecting around 300 people. One was so serious it resulted in a £350,000 fine from the Information Commissioner’s Office (ICO), an unusually tough penalty for a government body.
In July 2025, another major lapse came to light when the details of almost 19,000 asylum seekers were mistakenly released by an MoD employee. The error only became public after legal restrictions on reporting were lifted.
Just weeks later, a cyber attack on a contractor working with the MoD at Stansted Airport compromised the personal data of a further 3,700 individuals, including some linked to Arap.
‘Catastrophic Failings’
Adnan Malik, head of data protection at Barings Law, which represents over 1,000 Afghan claimants, described the pattern of incidents as “catastrophic failings”.
“Victims should not be learning the truth from lawyers or investigative work,” he said, urging full transparency from the department.
Cyber security expert Jake Moore warned that repeated breaches highlight weaknesses in culture as much as in technology.
“When the data includes highly sensitive information, the threat level dramatically increases,” he said. “Confidence in security can easily be lost, and in this case, the leaks put not just privacy but people’s safety at risk.”
MoD’s Next Steps
The MoD has said it takes data protection “extremely seriously” and continues to report incidents to the ICO where required.
As part of efforts to strengthen safeguards, the department has contracted Australian cyber security firm Castlepoint Systems to deploy an AI-driven platform capable of managing vast amounts of sensitive data and applying the correct protections.
The system is designed to detect and secure information at a scale that would overwhelm human staff, helping the MoD enforce compliance and prevent repeat failures.
Despite these assurances, the admission of 49 breaches has fuelled growing concern that those who risked their lives alongside British forces in Afghanistan are still being let down years later.
