Full Report
ICO says probe unnecessary after reviewing ministry's handling of leak The UK's data protection regulator declined to launch an investigation into a leak at the Ministry of Defence that risked the lives of thousands of Afghans connected with the British Armed Forces.…
Analysis Summary
# Incident Report: MoD Accidental Data Leak of Afghan Applicants
## Executive Summary
The UK Ministry of Defence (MoD) was responsible for an accidental data leak involving the personal details of thousands of Afghans connected to the British Armed Forces' resettlement scheme. The leak, which was initially discovered in August 2023 but formally surfaced after a superinjunction was lifted, was determined by the Information Commissioner's Office (ICO) to be an accidental sharing event where hidden data was included in a spreadsheet. The ICO ultimately decided against a formal investigation, citing concerns that an investigation might hinder the MoD's immediate rectification and safety measures for those affected.
## Incident Details
- Discovery Date: Initial evidence surfaced in **July [2025]** (when superinjunction was lifted); MoD became aware in **August 2023**.
- Incident Date: Sometime **before August 2023** (the exact date of the mis-share is not specified, but awareness began in Aug 2023).
- Affected Organization: Ministry of Defence (MoD).
- Sector: Government/Defence.
- Geography: United Kingdom.
## Timeline of Events
### Initial Access
- Date/Time: Not specified, occurred prior to August 2023.
- Vector: **Accidental Data Sharing/Misconfiguration**.
- Details: An official shared a spreadsheet with an external party, believing they were sharing a limited dataset. The spreadsheet contained sensitive data in "hidden cells," which were inadvertently included in the shared file.
### Lateral Movement
- Not applicable; this was an unauthorized *disclosure* event resulting from an internal operational error, not a network intrusion or lateral movement by an external actor.
### Data Exfiltration/Impact
- **Data Breach:** A spreadsheet comprising 33,345 lines of data was leaked. This included names and contact details of applicants to the Afghan resettlement scheme (ARAP) and information about their family members—individuals at risk of Taliban reprisal.
- **Financial Impact:** The incident is estimated to have cost the MoD more than **£850 million** (though this figure appears linked to overall recovery/response costs rather than just the breach handling).
### Detection & Response
- **August 2023:** MoD first became aware after personal details of ten individuals were posted to Facebook.
- **August 2023 - July 2025:** A government superinjunction was in place, limiting formal documentation and external review.
- **Post-Injunction (July 2025 onwards):** The ICO reviewed the details after the superinjunction was lifted. The ICO met with MoD officials but documented no formal decision immediately due to classification restraints.
- **Post-Review:** The ICO formally decided *not* to launch an investigation, satisfied with the MoD's ongoing efforts to rectify the problem and protect affected individuals.
## Attack Methodology
This section focuses on the root cause method of data disclosure, not a traditional cyber attack:
- Initial Access: **Accidental Sharing via email/file transfer** (internal user error targeting an external recipient).
- Persistence: N/A
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: N/A
- Discovery: N/A
- Lateral Movement: N/A
- Collection: **Accidental Collection** (the shared file included data stored in hidden cells that the sender did not intend to share).
- Exfiltration: **Intentional manual sharing** of an oversized/overly sensitive file.
- Impact: **Risk to Life/Privacy Violation** (placing thousands of vulnerable Afghan personnel and their families at risk of reprisal).
## Impact Assessment
- Financial: Estimated operational/response cost exceeding £850 million mentioned in related context (NAO report).
- Data Breach: Personal identifying information (names, contact details) and family data for 33,345 resettlement scheme applicants.
- Operational: Potential hindrance to the ARAP resettlement scheme response due to external scrutiny. Implied strain on MoD resources managing the fallout.
- Reputational: Negative attention for the MoD regarding the handling of life-critical data and relationship with the ICO/government oversight bodies.
## Indicators of Compromise
*Detection methodology was focused on external publication rather than network traffic analysis.*
- Network indicators: N/A (No external malicious network activity detailed).
- File indicators: Spreadsheet containing $\text{33,345}$ lines of applicant data made public.
- Behavioral indicators: Unauthorized external sharing of a document containing sensitive PII/At-Risk individual data.
## Response Actions
- **Internal MoD Response (Immediate):** Took steps to get to the root cause and rectify problems, and to keep affected people safe (though details withheld due to classification/sensitivity).
- **ICO Decision:** ICO met with MoD officials, reviewed available information, and made the decision **not to launch a formal investigation**, citing potential hindrance to MoD's rectification efforts.
- **Post-Decision Action:** ICO informed the Cabinet Office and committed with DSIT to collaborate on a plan to improve public sector data protection standards by year-end.
## Lessons Learned
- **Operational Security Failures:** Failure to verify the full contents of a shared dataset, especially regarding hidden fields or layers of data, resulted in a severe breach.
- **Classification Challenges:** The use of a superinjunction complicated post-incident oversight, preventing the ICO from immediately documenting or taking action effectively.
- **Resource Constraints:** The ICO cited a lack of sufficient vetted staff as a challenge in being able to investigate incidents involving classified information.
- **Internal Communication & Process:** The ICO acknowledged its own internal documentation process failed initially when handling the classified information surrounding the initial decision to take no further action.
## Recommendations
- Implement mandatory checks/audits prior to sharing potentially sensitive datasets to external parties, focusing on verifying hidden layers or unrequired fields.
- Improve internal protocols within government bodies for documenting sensitive regulatory interactions, even when under classification restrictions, to ensure clear audit trails for regulatory bodies like the ICO.
- MoD and relevant departments must prioritize increasing the capacity (vetted staff) within the ICO or parallel regulatory bodies capable of handling investigations tied to classified data to ensure timely regulatory oversight.