WIREDGOV

The Public Accounts Committee (PAC) is not confident that the MoD has done enough to reduce the risk of future incidents like the 2022 Afghan data breach.

• Read the report
• Read the report (PDF)
• Afghanistan Response Route
• Public Accounts Committee

In a new report, the PAC has delivered its verdict on the MoD’s actions relating to the breach, which put many thousands of Afghans at risk of reprisal from the Taliban, at a financial cost to the taxpayer that is still not fully known but is currently estimated at c.£850m (excluding legal and potential compensation costs).

The report finds that in setting up the Afghan Relocations and Assistance Policy (ARAP) to help Afghan citizens who were at risk because of their work with UK forces, the MoD knew the risks in how it was managing data on the scheme.

Adequate systems were not in place to manage high volumes of sensitive personal information. MoD neither did enough to improve its processes, guidance and culture in response to this risk, nor to learn lessons from multiple data breaches over successive years.

It was disclosed in August ’25 that there were 49 separate data breaches at the unit handling applications from Afghan citizens to relocate to the UK. 

The MoD has fallen below the standards that the public and Parliament should expect in the handling of sensitive personal information, and the PAC’s report calls for a full list of actions it is now taking to prevent future data breaches.

The report makes clear the lack of appropriate systems and controls in place in the MoD to manage personal data in a high-risk environment at the time of the breach.

Instead of a casework system specifically designed to process high volumes of personal data, the MoD was inappropriately relying on Excel spreadsheets stored on a SharePoint site, amidst a rapidly deteriorating security situation in Afghanistan.

This contributed to the 2022 breach, and the MoD must now confirm to the PAC that it is using a new casework system to manage all Afghan resettlement schemes.

Following the breach, the report finds the MoD has not accurately identified and accounted for the cost of the Afghan Response Route (ARR), the resettlement programme put in place as a direct result of the breach.

The MoD estimates that the ARR will cost around £850m in total, but the report notes this does not include legal costs or the potential cost of future compensation claims.

MoD estimates that up to 27,278 people affected by the breach could be resettled in the UK; 3,383 people had arrived in the UK under the ARR by June 2025, according to Home Office data. 

The PAC has asked for a six-monthly update on resettlement activity through the ARR, as well as for assurance that costs relating to the scheme will be captured accurately. 

The report further lays out in detail the events behind MoD’s failure in its responsibility to enable effective scrutiny by not informing the Public Accounts Committee or the National Audit Office’s (NAO) Comptroller & Auditor General (C&AG) about the data loss.

An audit director at the NAO was told by MoD that there was a secret matter relating to a data breach that could not be shared, without any detail of the operational consequences, number of people affected, or likely cost.

The director was told that they could not pass on this information to anyone else within NAO, which meant it was unable to do its job in supporting the C&AG to provide assurance to Parliament on the MoD’s use of public money. 

As a result, the report tells the MoD it should come to an agreement with the PAC and C&AG on how it will ensure they have sufficient and timely information to enable them to undertake their roles in the context of any similar situations in the future.

The PAC’s inquiry heard that a proposal for a Parliamentary oversight committee looking at more sensitive aspects of defence work, particularly defence and the nuclear enterprise, was being considered at the highest level within government.  In the opinion of the PAC, this matter is moving far too slowly.

Chair comment

Sir Geoffrey Clifton-Brown MP, Chair of the Public Accounts Committee, said:

“It is the duty of this Committee to report on the farrago of errors and missteps that led to, and followed, the Afghan data breach. The Ministry of Defence knew what it was doing - it knew the risks of using inadequate systems to handle sensitive personal information as the security environment in Afghanistan deteriorated.

"Indeed, data breaches occurred in 2021 which were sufficiently serious to have to be reported to the Information Commissioner’s Office, giving a warning which MoD should have taken steps to heed.

"These risks crystallised into dozens of data breaches over years, and ultimately resulted in the 2022 breach, presenting a grave risk to thousands of lives and a cost to the taxpayer running into hundreds of millions of pounds, at least.

"I take no pleasure as Chair of this Committee in stating now that we lack confidence in the MoD’s current ability to prevent such an incident happening again.

“We have now taken evidence from the MoD on what happened, and other Parliamentary Committees are also scrutinising the incident. But raking through such details after the fact is of course not how Parliamentary scrutiny ought to function.

"Our inquiry has established the chain of events which led to the PAC and the National Audit Office being blocked from doing its work on behalf of the taxpayer.

"The frankly chaotic decision to tell a single director within the NAO that there was a secret matter that could not be shared, without informing the leadership of the NAO itself, is emblematic of the quality of the MoD’s decision-making. 

“The MoD’s outgoing Permanent Secretary told our inquiry that this period of secrecy in how taxpayers’ money was being spent had been “deeply uncomfortable” for him.

"That is just as it should be, and we are glad to hear it - but as a consequence of elected representatives being prevented from holding government to account, it is not nearly sufficient, and he should never have been put in such a position by his minister.

"This Committee will continue to seek formal arrangements to allow proper scrutiny of sensitive defence spending, in order that no Permanent Secretary will ever have to face this type of situation again.”