The UK Ministry of Defence (MoD) is under fire after it was revealed that staff had been warned about the risks of sharing spreadsheets containing hidden tabs before a major Afghan data leak exposed the details of almost 19,000 people fleeing the Taliban. The incident, described internally as “the most expensive email ever sent,” has raised questions about government accountability, data protection, and the handling of sensitive information.
According to documents released by the Information Commissioner’s Office (ICO), MoD staff had explicit guidance highlighting the need to remove hidden data from datasets. Despite this, an official mistakenly shared a spreadsheet in 2022 that contained names, contact details, and family information of thousands of Afghans who applied for resettlement in the UK due to their ties with British forces.
The UK government has estimated the long-term cost of the breach at around £850m, as it triggered emergency resettlement efforts for those left vulnerable to Taliban persecution.
ICO Decision Not to Fine Sparks Internal Debate
Documents obtained through a Freedom of Information request reveal ICO staff expressed concerns about why the regulator did not impose a fine on the MoD, despite levying a £350,000 penalty for a smaller Afghan data breach in 2023. Staff privately acknowledged reputational risks and noted their justification for avoiding sanctions was an “imperfect answer.”
The ICO ultimately chose not to fine the MoD, citing the desire to avoid imposing further costs on taxpayers. However, internal emails show unease, with some staff questioning the two-year delay in deciding whether to investigate.
Fallout From a Hidden Tab
Hidden tabs in spreadsheet software are a common feature that make data invisible to users but accessible when settings are altered. The leak exposed sensitive details of those seeking refuge, many of whom feared retribution for their association with UK forces during the Afghanistan war.
The breach was subject to a High Court super-injunction that blocked reporting until September 2023. Written notes were banned during secret meetings between the MoD and the ICO, though a timeline memo was drafted after the injunction was lifted.
49 Breaches in Four Years
Further revelations have deepened scrutiny of the MoD’s data security. BBC News recently uncovered 49 separate breaches at the relocation unit handling Afghan resettlement applications in the last four years.
The ICO has demanded assurances that improvements are being made, warning that the government “has not yet done enough” to speed up reforms.
Government Response
An MoD spokesperson said the department has implemented stronger security measures, including better software, staff training, and data experts. “We have worked hand-in-hand with the ICO during an internal investigation and accepted all recommendations in full,” the statement said.
An ICO spokesperson added: “We are focused on ensuring causes of breaches are identified, rectified, and lessons learned. Standards must be raised, and improvements must continue.”
