🛡️ The Afghan Data Breach – A Wake-Up Call for Public Sector Data Governance
In July 2025, the veil of secrecy was finally lifted on one of the most catastrophic data breaches in UK government history. A spreadsheet leaked by a Ministry of Defence (MoD) official exposed the personal details of nearly 19,000 Afghan nationals — and, crucially, over 100 British special forces operatives and intelligence personnel. Initially concealed under a super-injunction, the breach has now ignited widespread concern over public sector data governance, transparency, and accountability.
🇦🇫 Not Just Afghan Data — GDPR Applies
Initial reports focused on the exposure of Afghan nationals applying for relocation under the Afghan Relocations and Assistance Policy (ARAP). While Afghan data held outside the UK might not fall under the scope of the UK GDPR, the breach also included the names of British special forces, MI6 officers, MPs, and senior military figures. This data is unequivocally subject to GDPR protections, and its exposure raises serious questions about compliance and risk management within the MoD.
📊 Spreadsheets and Security: A Persistent Weakness
The breach reportedly occurred when a defence official emailed a spreadsheet outside secure government systems, mistakenly believing it contained only 150 rows of data. In reality, it held over 33,000 entries. The spreadsheet was not password-protected, and the method of data sharing — via unsecured email — is alarmingly reminiscent of other public sector breaches.
This echoes previous warnings from the Information Commissioner’s Office (ICO) which has advised public authorities to stop using Excel spreadsheets for Freedom of Information responses due to the risk of hidden tabs and inadvertent disclosures. The MoD’s continued reliance on such outdated practices suggests a systemic failure to implement basic data protection principles.
⚖️ Data Minimisation: A Forgotten Principle
The fact that all this sensitive data was stored in a single spreadsheet raises serious concerns about data minimisation. Under GDPR, organisations must ensure that personal data collected is adequate, relevant, and limited to what is necessary. The MoD’s approach — aggregating thousands of records into a single, unsecured file — flies in the face of this principle.
Data minimisation isn’t just a legal requirement; it’s a strategic safeguard. As Rachael Greaves noted at QCon London, “Data minimisation is a mechanism to lower the impact of data breaches.” Its absence here amplified the fallout.
💰 Compensation Claims: Misunderstood and Misused
In the wake of the breach, law firms have begun preparing compensation claims on behalf of affected individuals. Barings Law alone is representing nearly 1,000 victims. However, it’s important to clarify that GDPR does not automatically entitle individuals to compensation. Article 82 allows for claims where damage — material or non-material — has occurred, but it does not create a blanket entitlement.
The narrative that “GDPR guarantees compensation” is misleading. Claims must be substantiated, and courts will assess the actual harm suffered. Nonetheless, the scale and sensitivity of this breach mean that substantial legal challenges are likely.
🧩 Secrecy and Scrutiny: A Dangerous Combination
Perhaps most troubling is the two-year super-injunction that prevented any reporting of the breach. While intended to protect lives, the injunction also shielded the government from scrutiny and delayed public awareness. As Kevin Keith of the UK Open Government Network noted, “An injunction aimed at protecting lives ended up concealing a catastrophic error. It may even have compounded the harm.”
This lack of transparency is not new. As I’ve previously written on Cambridge Risk Solutions, the ICO has historically failed to take breaches within the public sector seriously. This leniency may foster a culture of complacency — one where deeply sensitive data is mishandled without meaningful consequence.
🔍 Lessons for the Public Sector
This breach should serve as a wake-up call. Public sector bodies must:
- Abandon insecure spreadsheet sharing and adopt secure data management platforms.
- Implement robust data minimisation strategies, ensuring only necessary data is collected and retained.
- Train staff rigorously on data handling, especially those dealing with sensitive or high-risk datasets.
- Ensure transparency and accountability, even in cases involving national security.
🧭 Final Thoughts
The Afghan data breach is not just a failure of technology — it’s a failure of governance, culture, and leadership. It underscores the urgent need for public sector reform in data protection practices. As professionals in business continuity and information security, we must continue to advocate for stronger safeguards, clearer accountability, and a culture that treats data with the seriousness it deserves.