Information Commissioner's Office
|Printable version
ICO statement in response to 2022 MoD data breach
The ICO has been supporting and overseeing the Ministry of Defence’s (MoD) internal investigation into a data breach from 2022.
In August 2023, the MoD was made aware that an excerpt of a spreadsheet, related to applicants for its Afghan Relocations and Assistance Policy, was circulating online. The MoD reported the matter to the ICO within 72 hours, as required by law. The MoD immediately began an internal investigation into this matter, which determined that the spreadsheet, initially shared in 2022, and thought to contain data related to a small number of applicants, had contained hidden data related to more than 18,000 people.
The ICO's role is to consider the impact on people's data protection rights and what processes were in place to protect them. We have been carefully considering the circumstances of the breach throughout, supporting the MoD's own investigation.
Emily Keaney, Deputy Commissioner, said:
“This is a deeply regrettable incident that placed thousands of vulnerable people at risk. While we have been unable to comment on this matter publicly until now, I want to reassure the public that our expert team has been working behind the scenes to support and providing scrutiny to this internal investigation into what is a complex and sensitive situation.
“Data protection should never be a barrier to sharing information when this is needed to prevent harm and we accept that the initial sharing of the document was intentional and considered under the circumstances. However, there were mistakes made beyond this, with hidden data in the spreadsheet. We have been clear with the MoD that this incident is unacceptable and should never happen again – the stakes are simply too high. The public must be able to trust that the government has measures in place to protect the personal information and security of the most vulnerable people.
“We have supported the MoD with its internal investigation and carefully considered the specific circumstances under which the breach occurred, including the critical need to share data urgently in this situation. We’re reassured that the MoD’s investigation has resulted in taking necessary steps and minimised the risk of this happening again. We have also considered the proportionality of further action while the MoD rightly take steps to protect those most affected. We are satisfied that no further regulatory action is required at this time in this case.”
Original article link: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/07/ico-statement-in-response-to-2022-mod-data-breach/
Latest News from
Information Commissioner's Office
ICO welcomes Tribunal ruling on preliminary issue raised by TikTok in its appeal of 2023 penalty09/07/2025 11:25:00
The ICO welcomes the First-tier Tribunal decision on the preliminary issue raised by TikTok in its appeal against the £12.7m monetary penalty notice (MPN) issued in April 2023. The decision follows a hearing that took place from 19 to 21 May 2025.
ICO opens door to privacy-first advertising models with proposed new enforcement approach08/07/2025 09:10:00
We are calling for views on a new enforcement approach that could unlock privacy-preserving alternatives to the dominant adtech business model.
Eight men guilty following largest ever nuisance call investigation27/06/2025 12:10:00
We welcome a guilty verdict in a trial related to the unlawful accessing and obtaining of people’s personal information from vehicle repair garages to generate potential leads for personal injury claims.
UK organisations stand to benefit from new data protection laws20/06/2025 16:25:00
The Data (Use and Access) Act 2025 (DUAA) has now received Royal Assent. This new legislation updates key aspects of data protection law, making it easier for UK businesses to protect people’s personal information while growing and innovating their products and services.
23andMe fined £2.31 million for failing to protect UK users’ genetic data19/06/2025 12:25:00
We have fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023.
Your household smart products must respect your privacy – including your air fryer18/06/2025 09:10:00
From smart speakers and fitness trackers to Wi-Fi fridges and interconnected air fryers, smart products have integrated seamlessly into people’s homes and everyday lives – in fact, research shows that four in five Brits own at least one.*
New guidance to help smart product manufacturers get data protection right17/06/2025 09:10:00
We are calling on all manufacturers and developers of smart products to prioritise people’s privacy with new guidance published yesterday (16 June).
Information Commissioner: People must trust their information is protected in the age of AI05/06/2025 17:15:00
We are stepping up our supervision of AI and biometric technologies so people can trust that even the most innovative products and services are using their personal information responsibly.