In a controversial decision that has sparked widespread criticism, the UK's data protection regulator, the Information Commissioner's Office (ICO), announced that it will not take enforcement action against the Ministry of Defence.

The ICO stated that the government had already taken significant steps to fix the damage, and that further action by the ICO wouldn't add much.

Critics - including MPs, legal groups, and Afghan veterans - say this sends a dangerous message: that even one of the worst government data breaches in UK history can happen without regulatory consequences. The decision contrasts sharply with the ICO's previous £350,000 fine against the MoD for a separate 2021 Afghan data breach involving 265 people.

Law firms across the country are now representing what could become one of the largest government compensation cases in UK history. Barings Law reports it is representing almost 1,000 Afghan nationals and British service personnel affected by this breach, while a Manchester-based law firm told the High Court it has more than 600 potential clients who may sue the government under data protection laws.

However, the government appears prepared for a legal battle. A spokesman for the Ministry of Defence (MoD) said the Government would "robustly defend" any legal action or bid for compensation, adding these were "hypothetical claims". It has also been reported that the MoD will not proactively offer compensation to those affected.

"Those affected are likely to have strong claims for substantial compensation against the Government for failing to keep the information secure and for inevitable anxiety, fear and distress this has then caused," said Sean Humber, a lawyer at Leigh Day representing affected Afghans.

The ICO has now launched a new guidance (see here) offering detailed instructions for identifying and removing hidden personal data from files such as spreadsheets before they are shared with the public. They include instructions on how to spot metadata, embedded files, filtered or hidden spreadsheet rows, and other forms of concealed data that can inadvertently be revealed when documents are shared online.

To address common mistakes, the guidance includes real-world examples of accidental breaches and step-by-step instructions using Microsoft Office tools such as Excel, the spreadsheet software that allows “hidden columns” which caused the Afghan breach.

No One Fired Despite £7 Billion Cost

Despite the massive financial cost and security implications, Defence Secretary John Healey refused to say whether anyone has lost their job over the Ministry of Defence data breach. LBC reports that nobody has been fired over the £7 billion Afghan data breach.

The breach has resulted in unprecedented costs. The review, a summary of which was also published on Tuesday, said more than 16,000 people affected by it had been relocated to the UK as of May this year, with the scheme understood to have cost around £400 million so far, with a projected cost once completed of around £850 million. Some estimates suggest the total cost could reach as much as £7 billion over time.

The revelation has triggered cross-party criticism and calls for accountability. Parliament's intelligence watchdog announces it will launch an inquiry into the data breach. The intelligence and Security committee (ISC), which routinely reviews sensitive material, was not informed of the data breach until the super-injunction was lifted.

Critics have attacked both the data breach itself and the government's use of the superinjunction to keep it secret. Spiked Online described it as "an anti-democratic outrage," stating that "For nearly two years, then, we have all borne blind witness to the state's conspiracy of silence."

Taliban Reportedly Using Data for Reprisals

Adding to concerns about the breach's real-world consequences, Radio Free Europe/Radio Liberty reported that more than 200 Afghan soldiers and police officers have been murdered by the Taliban since the data was inadvertently leaked by a British official in February 2022.

In response to the controversy, Defence Secretary, John Healey, has announced that no more Afghans whose data was exposed will automatically be offered relocation in the UK, nor will they be given compensation. The UK Government abruptly closed the ARAP scheme to new applications on 1 July 2025, just weeks before the public disclosure.

The case has raised broader questions about government accountability and the use of superinjunctions. Legal experts are questioning whether super-injunctions should be used at all, when the cornerstone of democratic legal systems is the principle of open justice.