Government's Use of Super-Injunction Leaves Defense Secretary John Healey Uneasy Following Afghanistan Data Breach Incident
In February 2022, a significant data breach occurred within the Ministry of Defence (MoD) when a spreadsheet containing personal data of 18,714 Afghan nationals was mistakenly emailed to an unauthorised recipient. The data, which included highly sensitive information such as names, contact details, and family member details of those who had applied under the Afghan Relocations and Assistance Policy (ARAP), put not only the individuals on the list at risk but potentially up to 100,000 people, amplifying the severity of the incident.
The leak also revealed the names of over 100 British special forces personnel, MI6 spies, and military officers, further compromising national security. The breach went unnoticed by the authorities for over a year and only came to light publicly in mid-2023 when some of the data appeared online.
In response to the data compromise, the UK government initiated a new secret settlement scheme called the Afghan Response Route (ARR) in Autumn 2023. This scheme aimed to relocate thousands of Afghan nationals who were not previously eligible for ARAP but were judged to be at the highest risk from Taliban reprisals because their identities had been exposed. To date, almost 7,000 Afghan nationals are reported to be in the process of being relocated to the UK under this secret initiative, with broader estimates suggesting nearly 24,000 Afghan nationals are involved overall.
The financial cost of addressing the fallout from the breach is substantial. The MoD stated relocation costs alone were around £850 million, while internal documents suggested the broader financial impact—including existing Afghan support schemes and litigation risks—could reach £6 billion or more.
The government initially applied for a super-injunction in September 2023 to prevent any media reporting on the incident or even acknowledging the injunction’s existence. For nearly two years, 8 media organisations and their journalists were prohibited from reporting on the data breach, effectively keeping it secret from the British public, parliamentarians, and press. The government eventually lifted the injunction in July 2025, allowing full disclosure of the details following sustained legal challenges.
Defence Secretary John Healey, who took office after the breach, launched an independent review to address the problems he inherited upon becoming defense secretary. He stated that those responsible for the data leak would have to account for their actions. He was, however, "deeply uncomfortable" with the government using a super-injunction to hide a massive data breach and refused to name anyone specifically responsible.
When asked about who is responsible for the leak, Healey stated that it was a matter for the court. He also defended the government's decision to keep the data leak secret, which put thousands of lives at risk. Healey is not planning to launch a witch hunt or point fingers at individuals responsible for the data leak but emphasised the importance of robust data governance, especially when human lives and national security are involved.
Johnny Mercer, former veterans minister, has claimed to know the person responsible for the data leak. Ministers, according to Healey, need to provide judges with a "fresh assessment" in order to have the super-injunction lifted. Healey also refused to criticise former Conservative defence minister Ben Wallace for initially applying for the super-injunction. No information about any other super-injunctions in place was provided by Healey.
This breach exposed deep vulnerabilities in government data handling and raised serious concerns about national security and the welfare of vulnerable Afghans who supported British efforts. The episode underscores the importance of robust data governance, especially when human lives and national security are involved.
- The war-and-conflicts in Afghanistan, coupled with the politics surrounding policy-and-legislation, have been heavily covered in general news, with the recent data breach at the Ministry of Defence being a significant addition to this coverage.
- The crime-and-justice aspect of the data breach involves the individuals responsible for the mishandling of sensitive data, potentially facing legal consequences for compromising national security and putting lives at risk.
- As a result of the data breach, there have been significant changes in the UK's policy-and-legislation and politics, including the implementation of the Afghan Response Route (ARR) to provide a safe passage for Afghan nationals at risk, and the scrutiny of data governance procedures to prevent such incidents in the future.
