MOD Data Breach:

Was this about protection data subjects or protecting the state?

18 July 2025, Jemma Handley

What struck me wasn’t just the mistake itself, but the response. I’ve been asking myself: was this about genuinely protecting the data subjects, or was it about shielding the government from scrutiny?

My initial reaction

Like most people in my field, my first instinct was to groan, another spreadsheet, another hidden row, another catastrophic failure. The MOD believed the file contained around 150 names. In fact, it had tens of thousands.

I understand human error happens. I see it regularly. But when you’re dealing with this scale and this sensitivity the lives of people who stood by the UK in Afghanistan, and potentially the identities of intelligence personnel, the stakes are beyond high. It is exactly why we have such a robust framework of data protection governance.

Was a super-injunction really the right tool?

This is where it gets unclear for me. The MOD took out a super-injunction that lasted almost 683 days. It meant no one, not even MPs, could talk about the breach or even acknowledge that an injunction existed.

Now, I get it. The MOD assessed that public knowledge of the breach could endanger lives. In fact, the court noted that “the super-injunction was granted and maintained because the MOD assessed that public disclosure of the compromise of the dataset would expose thousands of people to the risk of extra-judicial killing or serious violence by the Taliban.”

When the case returned to court on 23 November 2023, the MOD successfully argued that the injunction should continue, because there was a “real risk that (i) the Taliban do not already know about the compromise of the dataset; (ii) disclosure of the fact of the dataset would cause them to take steps which lead to their obtaining it; and (iii) in that case, many thousands whose details are included in the dataset could be killed or injured and the UK Government would have no realistic way of safeguarding them.” The purpose at that stage, they said, was to buy time to formulate a safeguarding plan.

That’s serious. And I don’t for one second want to downplay the threats these individuals may face.

But I still keep coming back to this: were there really no other options? Could key oversight bodies in Parliament have been confidentially briefed? Could affected individuals, particularly UK personnel or those most at risk, have been warned under strict conditions to allow them to take steps to mitigate risk without completely shutting down public accountability? Nearly two years of total silence begs many questions.

In fact, Mr Justice Chamberlain noted that by this time, the cohort who had been offered relocation to the UK amounted to around 20,000 people, and that the cost of this programme ran to “several billion pounds: the sort of money which makes a material difference to Government spending plans and is normally the stuff of political debate.”

That quote says a lot. The financial and operational impact of this breach was huge, yet the public, Parliament, and press were all kept in the dark. When the state chooses secrecy over scrutiny, even in the name of protection, we have to ask: who’s deciding where that line is drawn, and who’s watching them? I can see why they reached for secrecy. But that doesn’t necessarily mean it was proportionate or right.

It’s also worth noting that by May 2025, more than 600 claimants, represented by a firm of solicitors, had become aware that some kind of data breach had occurred and were preparing data protection claims. This led to further court hearings in the same month, as part of an application to vary and clarify the injunction. Those claimants have reportedly reached 1,000 and compensation claims continue.

The Rimmer Review

Then, on 25 June 2025, the court received a key document: the review report supervised by retired civil servant Paul Rimmer. An open version of the report was published alongside the judgment. Crucially, it concluded that:

• Acquisition of the dataset by the Taliban was “unlikely to substantially change an individual’s existing exposure given the volume of data already available”;
• It was “unlikely that merely being on the dataset would be grounds for targeting”;
• And that it was “therefore also unlikely that family members, immediate or more distant,will be targeted simply because the ‘Principal’ appears in the… dataset.”

In other words, the very basis for continuing to suppress this information had shifted. The risk was now considered far lower than originally thought. That raises a serious question: why did it take until July 2025 for this to become public knowledge?

The ICO’s Response

The Information Commissioner’s Office (ICO) has now commented publicly, describing the breach as “deeply regrettable” and acknowledging that it placed thousands of vulnerable individuals at serious risk.

The ICO confirmed that the MOD reported the breach within 72 hours and has cooperated fully since. Whilst no fine was issued, the ICO explained that this was due to the exceptional national security context, the MOD’s prompt mitigation efforts, and the significant public funds already spent safeguarding those affected. They also cited a desire to avoid diverting resources from meaningful remediation. This in itself caused some backlash and the Information Commissioner himself provided an additional explanation yesterday.

Importantly, this wasn’t the first time the MOD had come under enforcement for ARAP-related data handling. In 2023, the ICO fined the MOD £350,000 for a 2021 incident in which an email about the same relocation programme was sent using the “cc” rather than “bcc” field, exposing the identities of hundreds of Afghans eligible for evacuation to one another.

While I understand the logic, it does leave me asking: what message does this send? Does it deter future breaches or does it tell smaller organisations that data protection doesn’t matter as much when you’re the government? In the circumstances, I agree that enough public money has already been spent as a result of the breach without additional fines but we do need to reflect on what the impact of this ICO outcome will be. When enforcement feels inconsistent, public confidence may start to slip.

The Information Commissioner himself concluded, “We determined that there was little we could add in this case that would justify the further allocation of resource away from other priorities. In making that call, we have not lost sight of the fact the MoD undoubtedly got things wrong, and the consequences have been serious. Organisations must do better to ensure mistakes like this don’t happen and understand the serious implications to people’s lives if they get it wrong.”

Final thoughts

To me, this breach highlights the fragile balance between protecting national security and ensuring transparency. Yes, the MOD had to act swiftly. Yes, secrecy may have been justified in the very short term. But nearly two years of silence, no public scrutiny, and now only the beginnings of legal recourse for those affected? This one isn’t over just yet.

We all know that data protection is ultimately about protecting people, not just tick boxes and legal terms. And this case, more than most, shows what’s at stake when that duty is forgotten.

---

This article reflects my own professional opinion based on information available at the time of writing. It is not intended as legal advice.

For advice on how to share information lawfully without disclosing hidden datasets, please email dpo@jhdataprotection.com for bespoke advice.