A data breach of thousands of Afghans, and their families, who supported and worked shoulder-to-shoulder with UK troops prompted fears of a Taliban “kill list”, it has been revealed. The leak occurred in February 2022 but has only now been made public knowledge after an unprecedented superinjunction prevented it from being shared.
It is thought the blunder may have put up to 100,000 people at risk of death or serious harm from the Taliban, which retook control of Afghanistan in 2021 — almost 20 years after NATO forces entered the country to remove the regime accused of harbouring Osama Bin Laden and Al-Qaeda. The Defence Secretary offered a “sincere apology” for the leak, which occurred when a UK Government worker accidentally emailed a dataset containing the personal information of nearly 19,000 people who applied for the Afghan Relocations and Assistance Policy (ARAP) outside of a secure government system. He sent the email in an attempt to verify information, believing the dataset to only contain around 150 rows of information, but it contained around 33,000.
The Ministry of Defence (MoD) only became aware of the breach more than a year after the release, when excerpts of the dataset were anonymously posted onto a Facebook group in August 2023.
The dataset included details such as the names and contact details of the ARAP applicants and the names of their family members.
The ARAP scheme, which was launched months before the fall of Kabul to the Taliban in 2021, was responsible for relocating Afghan nationals who had worked for or with the UK Government, such as interpreters, and were therefore at risk of reprisals from the group.
On the day the MoD became aware of the breach, around 1,800 ARAP applicants in Pakistan were sent a warning by UK officials that their data may have been breached.
A day later, the then-armed forces minister James Heappey was sent an email warning by a civilian volunteer assisting ARAP applicants after they discovered the data breach.
They said: “The Taliban may well now have a 33,000 long kill list – essentially provided to them by the UK government.
“If any of these families are murdered, the Government will be liable.”
The breach led to the creation of a secret Afghan relocation scheme – the Afghanistan Response Route – in April 2024.
It is understood to have cost around £400 million so far, with a projected cost once completed of around £850 million. Millions more are expected to be paid in legal costs and compensation.
A previous Government estimate had the cost of all Afghan relocation schemes at £7 billion, but projected costs are now between £5.5 billion and £6 billion.
Defence Secretary John Healey apologised for the breach in the Commons and said the superinjunction made him feel “deeply uncomfortable to be constrained from reporting to this House” about the breach and the secret relocation scheme set up in its wake.
He said he was “confident” there was a reduced risk of future data breaches.
Shadow defence secretary James Cartlidge, who was a minister in August 2023 when the then-government became aware of the data breach, also apologised.
“This data leak should never have happened and was an unacceptable breach of all relevant data protocols,” he said.
Labour MP and defence committee chairman Tan Dhesi said “this whole data breach situation is a mess and is wholly unacceptable”.
Lib Dems defence spokesperson Helen Maguire MP called on the Government to share if there are more superinjunctions and said ministers must “bring forward measures to prevent such breaches from ever happening again”.
Adnan Malik, Head of Data Protection at Barings Law, said the MoD has “repeatedly tried to hide” the “incredibly serious data breach” from the British public.
He said: “Through its careless handling of such sensitive information, the MoD has put multiple lives at risk, damaged its own reputation, and put the success of future operations in jeopardy by eroding trust in its data security measures.
“Barings Law is the only law firm in the United Kingdom to act on behalf of the victims in this case, and is currently working with around 1,000 of those affected to pursue potential legal action.”
Judges said in June last year that between 80,000 and 100,000 people, including the estimated number of family members of the ARAP applicants, were affected by the breach and could be at risk of harassment, torture or death if the Taliban obtained their data, judges said in June 2024.
But an independent review that was commissioned by the Government in January 2025, concluded last month that the dataset is “unlikely to significantly shift Taliban understanding of individuals who may be of interest to them”.
The Government has decided it will close the Afghanistan Response Route following the findings of the Rimmer Review. The decision has been supported by the Tories.
It is understood 18,500 people, including family members, affected by the breach have arrived in the UK with around a further 5,400 to follow.
A total of around 6,900 people are expected to be relocated to the UK through the Afghanistan Response Route alone by time it closes and so far 4,500 have arrived or are in transit via the scheme.
An unprecedented superinjunction was made at the High Court in September 2023 to reduce the risk of alerting the Taliban to the existence of the data.
The decision to apply for the order was made by the then defence secretary Sir Ben Wallace.
The superinjunction was lifted on Tuesday and is thought to be the longest-lasting order of its kind.