People icons and data showing data leak

Data Leak Prompted Secret Relocation of Thousands of Afghans to the UK

Concerns about reprisal by the Taliban prompted the UK government to secretly grant asylum to thousands of Afghans and allow them to immigrate to the country, in the wake of a 2022 data leak by the Ministry of Defence.

The immigration program was hidden from the public by a superinjunction preventing any media outlets from reporting on it, only now being lifted by the present Labour government. The country relocated about 4,500 Afghans under the belief that the Taliban would violently retaliate due to the exposure of assistance they provided to the UK military.

Data leak stemmed from email sent to incorrect addresses

The program includes Afghans who assisted UK forces from their initial entry in 2001 as part of the response to the US September 11 terror attacks, to the Taliban takeover in 2021 that followed the rapid withdrawal of foreign military forces. The resettlement is thought to have cost the UK government about 2 billion pounds ($2.7 billion) in total.

The data leak came in early 2022, when a spreadsheet containing information about Afghans who had applied for relocation to the UK on the basis of their prior assistance to the military was accidentally sent to email addresses that were “outside of government systems.” In August 2023, the Ministry of Defence (MoD) discovered that part of that spreadsheet had been published on Facebook. In September 2023 the UK government, then headed up by the Conservative Party, filed for a superinjunction to suppress any mention of the lost spreadsheet as well as any mention of the court order itself. This was based on a reasonable belief at the time that the Taliban had not become aware of the spreadsheet’s existence and total media suppression might keep it from them.

The government initiated the Afghanistan Response Route (ARR) plan in April 2024 to rapidly relocate those on the list that it believed were at the greatest risk of Taliban reprisal. The spreadsheet contained the personal information of over 18,000 people, but ultimately only about 4,500 were relocated to the UK (about 900 individuals connected to the UK military and 3,600 of their relatives). A High Court judge ruled in May 2024 that the superinjunction should be overturned, but was superseded on review by the Court of Appeal in July 2024. The current Labour government once again petitioned for the superinjunction to be overturned, which was granted this time given evidence that the Taliban has shown little interest in pursuing retribution against the impacted Afghans.

Reveal of data leak comes amidst heightened immigration tensions

Several media sources reportedly knew of the data leak from at least 2023, but were forced to suppress the story due to the superinjunction. While there was an initial legitimate basis for concern about the safety of the impacted Afghans, critics contend that the superinjunction was kept in place into 2024 primarily out of concern by the then-ruling Conservative government that the story would be damaging to their election chances. The incoming Prime Minister in 2024, Keir Starmer, was reportedly not told of the data leak until after he took office.

Reporters with The Telegraph say that they made contact with a senior Taliban official after the publication of the story, who claims that their government obtained the spreadsheet shortly after the original 2022 leak and have been actively “hunting” those that fled the country since by monitoring their families and known associates that remain in Afghanistan.

The story also breaks among more general heightened public dissatisfaction about the UK government’s immigration policies, one that has caused the right-wing Reform UK party (formerly the Brexit Party) to surge to the top of polling. Reports indicate that ministers are preparing for the possibility of riots over the issue, which may directly be triggered by the reveal of the data leak and subsequent secret migration program. The UK experienced a week of migration-related riots in 2024 that included attacks on mosques and hotels housing asylum seekers.

Some key details about the data leak are still not known to the public. It has been established that a British soldier sent the errant email in 2022 and that the matter appeared to be an accident (with the soldier forwarding the entire spreadsheet instead of what was supposed to be a very limited sampling of it), but it remains unclear who the “external party” who received it was or how it might have made its way to either the Taliban or the public 2023 Facebook post from there. About 1,000 Afghans on the list are preparing a lawsuit against the Ministry of Defence, seeking at least £50,000 each.

Dr. Kolochenko, CEO at ImmuniWeb, notes that these emerging details about the data leak will be key in the coming days: “This is a fairly unique and remarkably sad example of how a single data breach may pose a real threat to thousands of human lives. Whilst some cybersecurity vendors tend to exaggerate both the amplitude and consequences of data breaches, sometimes really nasty thing happen, as tellingly evidenced by this case. The question here is who will be accountable and financially liable for the consequences of this cybersecurity disaster? Given that full technical details of the breach are currently unknown, it would be premature to make conclusions, however, such major incidents rarely, if ever, occur without implication of third-party’s negligence, for example, of an IT or even cybersecurity vendor. Currently the financial burden is on British taxpayers, therefore, a thorough investigation is needed to better understand the root cause of the disastrous data breach, seek monetary compensation from all responsible parties to the fullest extent permitted by law, and ensure that such incidents will not happen again.”