The UK Ministry of Defence has admitted to 49 separate data breaches involving Afghan relocation cases over four years, revealing systemic data governance failures beyond the catastrophic 2022 leak that cost the government up to £2 billion. A Freedom of Information request by the BBC has revealed there have been 49 data breaches in the past four years, including the four already known to the public, according to a report published this week.

Seven breaches were serious enough to be reported to the UK's data watchdog, the Information Commissioner's Office (ICO), three of which had not been made public. The previously undisclosed incidents included one breach in 2021 and two in 2022, the same year as the major leak of a spreadsheet containing details of almost 19,000 people fleeing the Taliban that prompted an unprecedented superinjunction.

The revelations challenge the ICO's previous characterisation of the 2022 incident as "a one-off occurrence" caused by a failure to follow routine checks, rather than evidence of systemic failings.

"This represents a deeply alarming data failure and the recent 49 Ministry of Defence breaches make clear that the Afghan case was not an isolated error but part of a wider and troubling pattern of negligence," said Adnan Malik of Barings Law, which represents 1,500 affected people.

The scale of incidents raises serious concerns about data security culture within government agencies handling sensitive personal information. Lawyers representing Afghans caught up in the breaches argue the newly disclosed figures suggest a more worrying pattern that puts vulnerable populations at risk.

Technical Controls Remain Inadequate

Former senior military intelligence officer Philip Ingram told Forces News the repeated breaches demonstrate "a lack of awareness and a lack of understanding of the threat to data and a lack of care".

"There are tools that can be put in place that will help the human not make those errors and if something is being sent outside the Ministry of Defence, there should be big warning signs that come up," Ingram said.

The 2022 incident highlighted the need for automated data classification and leak prevention systems.

In May 2025 Australia's CastlePoint was awarded an enterprise licence for its AI-driven Automated Data Classification solution by the Ministry of Defence. Castlepoint’s proprietary Explainable AI technology will provide real-time, automated control over complex datasets to reduce the risk of human-led errors when handling sensitive data.

Rachael Greaves, CEO of Castlepoint Systems, said: “Securing this contract with the Ministry of Defence as our first UK account is a key milestone for Castlepoint, underscoring the critical importance of sophisticated data control for any organisation, not just national security. The MoD faces a complex challenge in managing vast and sensitive datasets in the knowledge that even a single case of data leak or loss can be catastrophic. I’m pleased that after undertaking a very thorough global search, Castlepoint was selected by MoD as the best solution to solve this problem.  

“Castlepoint, with Explainable AI and true autoclassification at its core, can increase labelling accuracy and coverage without disrupting the essential work of MoD personnel. We are a trusted technology provider for public-sector organisations and enterprises in Australia and New Zealand, and having now established our global headquarters in London, we look forward to delivering our proven solutions to many more organisations in the UK.”  

The MOD has declined to provide details of individual breach cases, though some previously acknowledged breaches involved officials mistakenly disclosing applicants' email addresses or personal information to unintended recipients.

"We take data security extremely seriously and are committed to ensuring that any incidents are dealt with properly, and that we follow our legal duties," an MOD spokesperson said. "All incidents that meet the threshold under UK data protection laws are referred to the Information Commissioner's Office and any lesser incidents are examined internally to ensure lessons are learned."

However, the ICO's decision not to take enforcement action despite the scale of breaches has drawn criticism from data protection experts and parliamentarians.

As IDM reported last month, law firms across the UK are preparing what could become one of the largest government compensation cases in history. The government has indicated it will "robustly defend" any legal action or bid for compensation, despite the mounting evidence of systemic data governance failures.