Latest news with #JamesHeappey
Sydney Morning Herald
a day ago
- Politics
- Sydney Morning Herald
‘Bone-chilling': The most expensive – and potentially deadly
When journalists inquired about the data breach, they were slapped with a superinjunction. By court order, news outlets were prevented from disclosing any details about the error – or even the existence of the injunction itself. At the time the email was sent, the government was scrambling to make good on a promise to give sanctuary to Afghans, including soldiers and interpreters, who had fought alongside British troops following the invasion in 2001 until the fall of Kabul to the Taliban in August 2021. The tens of thousands of names on the database were of Afghans who had applied for asylum in the UK under the specially convened ARAP scheme. It also included information about Afghans who applied to a similar programme called the Afghan Citizens Resettlement Scheme (ACRS). Their very act of applying for asylum had put their lives in jeopardy. For 18 months, the Ministry of Defence (MoD) appeared oblivious to the existence of the rogue email, with its spreadsheet sent in error. That all changed on August 14 2023, with an anonymous post on Facebook that would send the MoD into a spiral of panic. The MoD only became aware of the leak when that month a member of the public wrote to Luke Pollard, the Labour MP for Plymouth, and James Heappey, a Conservative who was at the time a defence minister, warning them that the spreadsheet had been shared widely online. 'I have a copy of it, so does the Taliban – why doesn't the ARAP team?' wrote the person, whose name was redacted in court documents, in the email dated August 10, 2023. They are understood to be a support worker for Afghans settling in the UK. Extracts from the spreadsheet were then posted on Facebook four days later. In a group used by 1300 Afghans needing to relocate, some of whom may have been Taliban infiltrators, the user – known only as 'Anonymous Member' – wrote that he was in possession of the database containing records of 25,000 applicants on 33,000 rows of information, adding: 'I want to disclose it.' The user who posted the extracts is understood to have been an Afghan who was sent the database, and whose own asylum claim was later rejected. To show the list was genuine, the Facebook user then posted the personal details of nine Afghans who had applied to the ARAP scheme. British diplomatic staff administering the scheme in Pakistan were alerted by another member of the Facebook group. Alarm bells began to ring. By the afternoon of August 14, the relocation team in Islamabad had circulated an email to some 1800 Afghans in Pakistan, warning them: 'We have been informed there may have been a potential data breach of your contact information.' Some of those affected told the British Council they had been contacted by Iranian phone numbers on WhatsApp asking them to disclose scans of their passports. However, Whitehall officials chose not to inform any individuals waiting in Afghanistan or elsewhere about the breach, because it was felt it would increase the risk of the Taliban getting hold of it. Spies, meanwhile, sought to delete any trace of the list from servers overseas. The posts were deleted within three days after officials from the MoD contacted Meta, Facebook's owner. Timeline of the 'kill list' and the superinjunction February 2022: A Royal Marine accidentally sends an email containing the list of nearly 25,000 people who applied for the Afghan Relocations and Assistance Policy. August 14 2023: A Facebook user posts an excerpt of the dataset disclosing the details of nine ARAP applicants. The Ministry of Defence is notified. August 15: A civilian volunteer warns James Heappey, the armed forces minister, that the Taliban may now have a 'kill list essentially provided to them by the UK government'. August 17-25: Journalists contact the MoD and Foreign Office about the breach, but agree not to publish until those at risk are protected. Ben Wallace, the defence secretary, decides to apply for a court order blocking the news. September 1: The MoD asks the High Court for an injunction for around four months. A High Court judge grants a superinjunction, saying the risk of the information falling into the Taliban's hands justifies the highest level of secrecy. November 16: A Cabinet sub-committee, the Domestic and Economic Affairs (DEA) committee, discusses the issue. Members at the time include Rishi Sunak and Jeremy Hunt. Meeting notes reveal plans to establish a compensation scheme at a cost between £120 million and £350 million. November 23: Justice Martin Chamberlain gives a private judgment where he says granting a superinjunction 'is likely to give rise to understandable suspicion that the court's processes are being used for the purposes of censorship'. December 19: The DEA committee says that a new route of settlement in the UK should be offered to about 200 at-risk people and their dependents. This is called the Afghanistan Response Route (ARR). February 15 2024: Chamberlain extends the superinjunction. He adds in a second, private judgment: 'What is clear is that the Government has decided to offer help to only a very small proportion of those whose lives have been endangered by the data incident and that the decisions in this regard are being taken without any opportunity for scrutiny through the media or in Parliament.' May 21: Chamberlain rules that the superinjunction should be lifted. He says there is a 'significant possibility' the Taliban knows about the dataset, but adds that it is 'fundamentally objectionable' that decisions about thousands of people's lives and billions of pounds of taxpayers' money are being taken in secret. June 25-26: The Court of Appeal rules that the superinjunction will remain in place. In a later written ruling, judges Sir Geoffrey Vos, Lord Justice Singh and Lord Justice Warby say that between 80,000 and 100,000 people could be at risk if the Taliban were to obtain the data. July 4: Sir Keir Starmer is briefed about the data breach after taking office. February 3 2025: A review says the ARR resettlement plan would mean relocating more Afghans than had been moved under ARAP, and would extend the schemes for another five years at a total cost to the taxpayer of around £6 billion. July 4: John Healey, the Defence Secretary, concludes that the ARR should be closed after an internal review finds the breach is unlikely to have put individuals at greater risk. The review also said the Government may have 'inadvertently added more value to the dataset' by seeking the superinjunction and implementing a bespoke resettlement scheme. Government lawyers tell the High Court that in light of the decision to close the Afghanistan Response Route, the superinjunction 'should no longer continue'. July 15: Chamberlain lifts the superinjunction. The Metropolitan Police was informed in August 2023, but it was decided a criminal investigation was not necessary. It is understood that individuals in the UK and Pakistan are still in possession of the database, and in at least one case it has changed hands for a large sum of money, understood to be five figures. By 10am on August 15, an email was sent to Heappey – the armed forces minister at the time – with the alarming subject title: 'ARAP families, imminent threat to life.' The sender of the email – whose name has been redacted in court documents – explained that they were now aware of the data breach. 'The fact that the Taliban may be in possession of 33,000 ARAP applications, including the primary applicants' phone numbers and all the case evidence, is simply bone-chilling,' claimed the email. It is unclear what, if any, was Heappey's response. Or indeed whether he saw the email. By 8.09pm, a time when the MoD's top brass would have gone home for the day, a senior official in charge of data governance circulated an official crisis alert to them, confirming the data breach. But it wasn't clear at that stage how the database had got into rogue hands. The question, an unnerving one for the government, was whether this could have been an illegal hack. The intelligence services, including GCHQ and MI6, were briefed by the UK Foreign Office and asked to examine whether a hostile state could have been responsible. The CIA was also brought into the loop. Days later, officials realised the stark truth of the accidental leak. From then on, the government went into crisis mode. David Williams, a freelance journalist who had previously worked on a campaign to resettle Afghan interpreters, was made aware of the breach. He contacted the MoD for comment, and other journalists soon got wind of it. The government decided that any whiff of the spreadsheet could put lives in danger, and the MoD issued a so-called D-Notice requesting that newspapers refrain from reporting the breach. D-Notices are advisory only, and not legally binding. Meanwhile, inside the UK government, ministers were in a race against time to get to Afghans identified on the spreadsheet before the Taliban could. Ben Wallace, the defence secretary at the time, who had announced in July his intention to resign, was incandescent. He had been concerned about data safety and could not believe that such a lackadaisical breach could have been allowed to occur. A Cobra meeting – called when high-level decision need to be made in emergency situations – was convened in Whitehall in response. On August 25, 2023, in one of his last acts as defence secretary, Wallace applied to the High Court for an injunction to prevent the leak becoming public. A week later, on Sept 1 – by which time Grant Shapps had been installed as his successor – the High Court granted a superinjunction contra mundum – meaning 'against the world' – that prevented anybody knowing about the leak and the existence of the injunction itself. It was the first time such a draconian injunction had been used by a UK government against the British press. By now, the government was running two operations. One was to stop the story getting out, and the other was to get the Afghans out of their home country and to the safety of the UK. Ministers launched Operation Rubific, which would aim to bring thousands of Afghan families most at risk to the UK, largely via Pakistan. In towns up and down the country, Afghans were quietly resettled and their numbers kept off the official books, after being flown into the UK on specially arranged flights. Justice Robin Knowles, the High Court judge who granted the superinjunction, accepted his ruling would infringe 'freedom of expression and of the press,' but insisted that 'the impact is justified in the particular and exceptional circumstances of this case including the risk to life and of torture'. Instead of being granted against a named individual or news organisation, the injunction banned anybody at all who learnt of the leak from talking about it. With news reporting banned, Parliament was kept in the dark – although the speakers of both the Lords and Commons – were secretly told so they could decide how to handle any Parliamentary questions to ministers about it. John Healey, then the shadow defence secretary, tabled just such a question on December 13, 2023. In that month, the information commissioner had fined the MoD £350,000 for leaking the details of more than 200 ARAP applicants. Healey asked if the watchdog was investigating any similar breaches. A brief answer from Heappey said there were two 'live investigations', confirming the Labour member's suspicions. The Telegraph understands that Heappey then met his Labour counterpart that month to reveal all to him. Yet, Healey was also served with the superinjunction at the meeting – meaning he could not even tell Sir Keir Starmer, the leader of the opposition at the time, let alone the shadow chancellor. The intelligence and security committee and the Commons defence select committee were both kept in the dark. 'I would not widen [the] circle by briefing others,' said Shapps in a civil service memo dated November 2023. The chairman of the public inquiry into alleged extrajudicial killings of Afghans by members of the SAS was also kept in the dark. Democratic accountability had seemingly been thwarted. Thanks to the court order, the MP could ask no further public questions about the leak, nor question ministers' and officials' handling of it in deciding to bring all the directly affected Afghans to the UK. At the time, sources suggested, the MoD's estimate of the total cost of bringing Afghans to Britain was in the region of £4 billion. It would rise to £7 billion, before being revised down to £6 billion, an extraordinary sum all the same. By May last year, a Cabinet subcommittee chaired by the deputy prime minister – at the time, Oliver Dowden – had decided to allow 11,500 Afghans into Britain as a result of the leak, yet this had not been announced to Parliament nor subjected to any public scrutiny. Loading The money to do so was drawn from the Treasury's reserve funds and not the MoD, Home Office or Department for Communities and Local Government's budgets, The Telegraph understands. At about the same time, Justice Martin Chamberlain, who had taken over the legal case, ruled the injunction ought to be lifted, prompting an immediate appeal by the MoD. Court of Appeal judges agreed with the government and said the gag order had to remain in place. Meanwhile, July's general election saw a change of government. Initially, Labour kept things exactly as they were under their Tory predecessors, with MoD lawyers continuing to insist to the High Court that any public mention of the leak would be lethally disastrous. Healey, by now the Defence Secretary, continued to toe the MoD line and stay silent on the breach. The injunction would remain in place for another year after Labour took charge. Officials and politicians continued to maintain that any public knowledge of the breach would somehow inspire the Taliban to go and look for the spreadsheet. Yet by January this year, retired civil servant Paul Rimmer – the former deputy head of Defence Intelligence – had been commissioned to review the risks. By April, The Telegraph understands, ministers were aware that he was likely to find that if the data breach became public knowledge it would not substantially increase the risks to those mentioned in it. In his review, Rimmer concluded that 'early concern about the extent of the Taliban intent to target [certain individuals] has diminished'. 'There is little evidence of intent by the Taliban to conduct a campaign of retribution… Killings are undoubtedly still occurring, and human rights violations remain extensive, but it is extremely difficult to determine the causes of individual killings or detentions,' he found. The system set up to fly in Afghans, without any public knowledge of the scheme as a result of the data breach, was now 'disproportionate to the actual impact of the data loss were it to fall into the Taliban's hands'. By the time of the review, 16,156 individuals affected by the breach in 2022 had reached the safety of the UK. But it is only now that news organisations can tell that story. An Afghan man now living in Britain is said to be the person who threatened to share the list. According to the Daily Mail, he is in the UK with at least seven relatives.
The Age
a day ago
- Politics
- The Age
‘Bone-chilling': The most expensive – and potentially deadly
When journalists inquired about the data breach, they were slapped with a superinjunction. By court order, news outlets were prevented from disclosing any details about the error – or even the existence of the injunction itself. At the time the email was sent, the government was scrambling to make good on a promise to give sanctuary to Afghans, including soldiers and interpreters, who had fought alongside British troops following the invasion in 2001 until the fall of Kabul to the Taliban in August 2021. The tens of thousands of names on the database were of Afghans who had applied for asylum in the UK under the specially convened ARAP scheme. It also included information about Afghans who applied to a similar programme called the Afghan Citizens Resettlement Scheme (ACRS). Their very act of applying for asylum had put their lives in jeopardy. For 18 months, the Ministry of Defence (MoD) appeared oblivious to the existence of the rogue email, with its spreadsheet sent in error. That all changed on August 14 2023, with an anonymous post on Facebook that would send the MoD into a spiral of panic. The MoD only became aware of the leak when that month a member of the public wrote to Luke Pollard, the Labour MP for Plymouth, and James Heappey, a Conservative who was at the time a defence minister, warning them that the spreadsheet had been shared widely online. 'I have a copy of it, so does the Taliban – why doesn't the ARAP team?' wrote the person, whose name was redacted in court documents, in the email dated August 10, 2023. They are understood to be a support worker for Afghans settling in the UK. Extracts from the spreadsheet were then posted on Facebook four days later. In a group used by 1300 Afghans needing to relocate, some of whom may have been Taliban infiltrators, the user – known only as 'Anonymous Member' – wrote that he was in possession of the database containing records of 25,000 applicants on 33,000 rows of information, adding: 'I want to disclose it.' The user who posted the extracts is understood to have been an Afghan who was sent the database, and whose own asylum claim was later rejected. To show the list was genuine, the Facebook user then posted the personal details of nine Afghans who had applied to the ARAP scheme. British diplomatic staff administering the scheme in Pakistan were alerted by another member of the Facebook group. Alarm bells began to ring. By the afternoon of August 14, the relocation team in Islamabad had circulated an email to some 1800 Afghans in Pakistan, warning them: 'We have been informed there may have been a potential data breach of your contact information.' Some of those affected told the British Council they had been contacted by Iranian phone numbers on WhatsApp asking them to disclose scans of their passports. However, Whitehall officials chose not to inform any individuals waiting in Afghanistan or elsewhere about the breach, because it was felt it would increase the risk of the Taliban getting hold of it. Spies, meanwhile, sought to delete any trace of the list from servers overseas. The posts were deleted within three days after officials from the MoD contacted Meta, Facebook's owner. Timeline of the 'kill list' and the superinjunction February 2022: A Royal Marine accidentally sends an email containing the list of nearly 25,000 people who applied for the Afghan Relocations and Assistance Policy. August 14 2023: A Facebook user posts an excerpt of the dataset disclosing the details of nine ARAP applicants. The Ministry of Defence is notified. August 15: A civilian volunteer warns James Heappey, the armed forces minister, that the Taliban may now have a 'kill list essentially provided to them by the UK government'. August 17-25: Journalists contact the MoD and Foreign Office about the breach, but agree not to publish until those at risk are protected. Ben Wallace, the defence secretary, decides to apply for a court order blocking the news. September 1: The MoD asks the High Court for an injunction for around four months. A High Court judge grants a superinjunction, saying the risk of the information falling into the Taliban's hands justifies the highest level of secrecy. November 16: A Cabinet sub-committee, the Domestic and Economic Affairs (DEA) committee, discusses the issue. Members at the time include Rishi Sunak and Jeremy Hunt. Meeting notes reveal plans to establish a compensation scheme at a cost between £120 million and £350 million. November 23: Justice Martin Chamberlain gives a private judgment where he says granting a superinjunction 'is likely to give rise to understandable suspicion that the court's processes are being used for the purposes of censorship'. December 19: The DEA committee says that a new route of settlement in the UK should be offered to about 200 at-risk people and their dependents. This is called the Afghanistan Response Route (ARR). February 15 2024: Chamberlain extends the superinjunction. He adds in a second, private judgment: 'What is clear is that the Government has decided to offer help to only a very small proportion of those whose lives have been endangered by the data incident and that the decisions in this regard are being taken without any opportunity for scrutiny through the media or in Parliament.' May 21: Chamberlain rules that the superinjunction should be lifted. He says there is a 'significant possibility' the Taliban knows about the dataset, but adds that it is 'fundamentally objectionable' that decisions about thousands of people's lives and billions of pounds of taxpayers' money are being taken in secret. June 25-26: The Court of Appeal rules that the superinjunction will remain in place. In a later written ruling, judges Sir Geoffrey Vos, Lord Justice Singh and Lord Justice Warby say that between 80,000 and 100,000 people could be at risk if the Taliban were to obtain the data. July 4: Sir Keir Starmer is briefed about the data breach after taking office. February 3 2025: A review says the ARR resettlement plan would mean relocating more Afghans than had been moved under ARAP, and would extend the schemes for another five years at a total cost to the taxpayer of around £6 billion. July 4: John Healey, the Defence Secretary, concludes that the ARR should be closed after an internal review finds the breach is unlikely to have put individuals at greater risk. The review also said the Government may have 'inadvertently added more value to the dataset' by seeking the superinjunction and implementing a bespoke resettlement scheme. Government lawyers tell the High Court that in light of the decision to close the Afghanistan Response Route, the superinjunction 'should no longer continue'. July 15: Chamberlain lifts the superinjunction. The Metropolitan Police was informed in August 2023, but it was decided a criminal investigation was not necessary. It is understood that individuals in the UK and Pakistan are still in possession of the database, and in at least one case it has changed hands for a large sum of money, understood to be five figures. By 10am on August 15, an email was sent to Heappey – the armed forces minister at the time – with the alarming subject title: 'ARAP families, imminent threat to life.' The sender of the email – whose name has been redacted in court documents – explained that they were now aware of the data breach. 'The fact that the Taliban may be in possession of 33,000 ARAP applications, including the primary applicants' phone numbers and all the case evidence, is simply bone-chilling,' claimed the email. It is unclear what, if any, was Heappey's response. Or indeed whether he saw the email. By 8.09pm, a time when the MoD's top brass would have gone home for the day, a senior official in charge of data governance circulated an official crisis alert to them, confirming the data breach. But it wasn't clear at that stage how the database had got into rogue hands. The question, an unnerving one for the government, was whether this could have been an illegal hack. The intelligence services, including GCHQ and MI6, were briefed by the UK Foreign Office and asked to examine whether a hostile state could have been responsible. The CIA was also brought into the loop. Days later, officials realised the stark truth of the accidental leak. From then on, the government went into crisis mode. David Williams, a freelance journalist who had previously worked on a campaign to resettle Afghan interpreters, was made aware of the breach. He contacted the MoD for comment, and other journalists soon got wind of it. The government decided that any whiff of the spreadsheet could put lives in danger, and the MoD issued a so-called D-Notice requesting that newspapers refrain from reporting the breach. D-Notices are advisory only, and not legally binding. Meanwhile, inside the UK government, ministers were in a race against time to get to Afghans identified on the spreadsheet before the Taliban could. Ben Wallace, the defence secretary at the time, who had announced in July his intention to resign, was incandescent. He had been concerned about data safety and could not believe that such a lackadaisical breach could have been allowed to occur. A Cobra meeting – called when high-level decision need to be made in emergency situations – was convened in Whitehall in response. On August 25, 2023, in one of his last acts as defence secretary, Wallace applied to the High Court for an injunction to prevent the leak becoming public. A week later, on Sept 1 – by which time Grant Shapps had been installed as his successor – the High Court granted a superinjunction contra mundum – meaning 'against the world' – that prevented anybody knowing about the leak and the existence of the injunction itself. It was the first time such a draconian injunction had been used by a UK government against the British press. By now, the government was running two operations. One was to stop the story getting out, and the other was to get the Afghans out of their home country and to the safety of the UK. Ministers launched Operation Rubific, which would aim to bring thousands of Afghan families most at risk to the UK, largely via Pakistan. In towns up and down the country, Afghans were quietly resettled and their numbers kept off the official books, after being flown into the UK on specially arranged flights. Justice Robin Knowles, the High Court judge who granted the superinjunction, accepted his ruling would infringe 'freedom of expression and of the press,' but insisted that 'the impact is justified in the particular and exceptional circumstances of this case including the risk to life and of torture'. Instead of being granted against a named individual or news organisation, the injunction banned anybody at all who learnt of the leak from talking about it. With news reporting banned, Parliament was kept in the dark – although the speakers of both the Lords and Commons – were secretly told so they could decide how to handle any Parliamentary questions to ministers about it. John Healey, then the shadow defence secretary, tabled just such a question on December 13, 2023. In that month, the information commissioner had fined the MoD £350,000 for leaking the details of more than 200 ARAP applicants. Healey asked if the watchdog was investigating any similar breaches. A brief answer from Heappey said there were two 'live investigations', confirming the Labour member's suspicions. The Telegraph understands that Heappey then met his Labour counterpart that month to reveal all to him. Yet, Healey was also served with the superinjunction at the meeting – meaning he could not even tell Sir Keir Starmer, the leader of the opposition at the time, let alone the shadow chancellor. The intelligence and security committee and the Commons defence select committee were both kept in the dark. 'I would not widen [the] circle by briefing others,' said Shapps in a civil service memo dated November 2023. The chairman of the public inquiry into alleged extrajudicial killings of Afghans by members of the SAS was also kept in the dark. Democratic accountability had seemingly been thwarted. Thanks to the court order, the MP could ask no further public questions about the leak, nor question ministers' and officials' handling of it in deciding to bring all the directly affected Afghans to the UK. At the time, sources suggested, the MoD's estimate of the total cost of bringing Afghans to Britain was in the region of £4 billion. It would rise to £7 billion, before being revised down to £6 billion, an extraordinary sum all the same. By May last year, a Cabinet subcommittee chaired by the deputy prime minister – at the time, Oliver Dowden – had decided to allow 11,500 Afghans into Britain as a result of the leak, yet this had not been announced to Parliament nor subjected to any public scrutiny. Loading The money to do so was drawn from the Treasury's reserve funds and not the MoD, Home Office or Department for Communities and Local Government's budgets, The Telegraph understands. At about the same time, Justice Martin Chamberlain, who had taken over the legal case, ruled the injunction ought to be lifted, prompting an immediate appeal by the MoD. Court of Appeal judges agreed with the government and said the gag order had to remain in place. Meanwhile, July's general election saw a change of government. Initially, Labour kept things exactly as they were under their Tory predecessors, with MoD lawyers continuing to insist to the High Court that any public mention of the leak would be lethally disastrous. Healey, by now the Defence Secretary, continued to toe the MoD line and stay silent on the breach. The injunction would remain in place for another year after Labour took charge. Officials and politicians continued to maintain that any public knowledge of the breach would somehow inspire the Taliban to go and look for the spreadsheet. Yet by January this year, retired civil servant Paul Rimmer – the former deputy head of Defence Intelligence – had been commissioned to review the risks. By April, The Telegraph understands, ministers were aware that he was likely to find that if the data breach became public knowledge it would not substantially increase the risks to those mentioned in it. In his review, Rimmer concluded that 'early concern about the extent of the Taliban intent to target [certain individuals] has diminished'. 'There is little evidence of intent by the Taliban to conduct a campaign of retribution… Killings are undoubtedly still occurring, and human rights violations remain extensive, but it is extremely difficult to determine the causes of individual killings or detentions,' he found. The system set up to fly in Afghans, without any public knowledge of the scheme as a result of the data breach, was now 'disproportionate to the actual impact of the data loss were it to fall into the Taliban's hands'. By the time of the review, 16,156 individuals affected by the breach in 2022 had reached the safety of the UK. But it is only now that news organisations can tell that story. An Afghan man now living in Britain is said to be the person who threatened to share the list. According to the Daily Mail, he is in the UK with at least seven relatives.
Economic Times
2 days ago
- Politics
- Economic Times
British military Afghan data breach exposed: government cover-up risked 100,000 lives
British Ministry of Defence headquarters in London, where officials orchestrated Operation Rubific to contain Afghan data breach that exposed thousands of lives to Taliban threats The British military faces scrutiny after a catastrophic data breach exposed up to 100,000 Afghans to potential Taliban retaliation, prompting successive governments to deploy an unprecedented legal cover-up lasting nearly two February 2022, a British soldier accidentally transmitted a database containing 33,000 Afghan records to unauthorized recipients while attempting to verify sanctuary applications. The breach remained secret until August 2023, when an anonymous Afghan threatened to publish the information on Facebook. Also read: UK defence ministry fined for Afghan data breach during ...The leaked database included sensitive personal information about Afghans who had applied for the UK's Afghan Relocations and Assistance Policy (Arap), along with family members' details, phone numbers, and email addresses of British government lawyers warned that if the Taliban obtained the dataset, as many as 100,000 Afghans would face "risk of death, torture, intimidation or harassment." The figure encompassed primary applicants and their family members, some of whom were specifically named in the compromised records. "The fact that the Taliban may be in possession of 33,000 Arap applications, including the primary applicants' phone numbers and all the case evidence, is simply bone-chilling," wrote Person A, an activist helping Afghan refugees, in an email to then-Armed Forces Minister James Heappey. Following the breach discovery, the Ministry of Defence launched Operation Rubific, a covert mission to evacuate affected Afghans while preventing public disclosure. The operation included the largest peacetime covert evacuation in British history. Defence Secretary John Healey revealed Tuesday that 18,500 Afghans affected by the breach have already been relocated to the UK, with an additional 5,400 scheduled for evacuation. The total cost of addressing the breach reached £850 million for 6,900 individuals, according to MoD read: UK launched secret scheme to relocate Afghans after data leak, documents showThe Conservative government secured a superinjunction from the High Court on September 1, 2023, preventing any public disclosure of the breach or the court order's existence. The order remained in place for 683 days, making it the longest superinjunction in British legal history and the first sought by a continued advocating for the superinjunction after taking power in July 2024. Mr Justice Chamberlain criticized the order as a "wholly novel use" of superinjunctions, stating it was "fundamentally objectionable for decisions that affect the lives and safety of thousands of human beings, and involve the commitment of billions of pounds of public money, to be taken in circumstances where they are completely insulated from public debate."While the superinjunction remained active, the government approved spending up to £7 billion over five years to relocate 25,000 affected Afghans under the secret Afghan Response Route (ARR) scheme. Chancellor Rachel Reeves signed off on the plan in October 2024, with the cabinet's home and economic affairs committee deeming it "appropriate." The policy was subsequently expanded in June 2025 to include more than 42,500 individuals before an independent review questioned its necessity. Defence Secretary Healey announced Tuesday the closure of the ARR scheme, leaving thousands of affected Afghans behind. The breach originated when a soldier working under General Sir Gwyn Jenkins at Regent's Park Barracks sent the database to Afghan contacts twice in February 2022. The recipients passed the information to other Afghans, with at least one copy reaching individuals in MoD remained unaware of the breach until August 14, 2023, when an anonymous Afghan posted details on a Facebook group, threatening to publish the complete dataset. Government officials immediately alerted approximately 1,800 Afghans in Pakistan about potential data compromise. Also read: Largest population purge this decade? Iran expels half a million Afghans in rapid crackdown post-Israel wa Independent review questions superinjunction justificationRetired civil servant Paul Rimmer's independent review, ordered by Defence Secretary Healey, concluded that early Taliban targeting concerns had "diminished" and the superinjunction may have worsened the situation by increasing the dataset's value to hostile actors. The review noted that given existing Taliban intelligence capabilities, the dataset was "unlikely to provide considerably new or highly pertinent information." It also warned that publicity surrounding the breach revelation would "clearly be likely to attract Taliban interest in obtaining it." Manchester-based Barings Law represents approximately 1,000 breach victims preparing legal action that could cost taxpayers more than £250 million. The firm criticized the MoD's response as "wholly inadequate," particularly an email apology sent to affected individuals Tuesday morning. "Through its careless handling of such sensitive information, the MoD has put multiple lives at risk, damaged its own reputation, and put the success of future operations in jeopardy by eroding trust in its data security measures," Barings Law stated. Defence Secretary Healey apologized to Parliament Tuesday for the "serious departmental error," acknowledging that "full accountability to parliament and freedom of the press matter deeply to me — they're fundamental to our British way of life."Defence Committee Chairman Tanmanjeet Singh Dhesi called the situation "a mess and wholly unacceptable," indicating potential parliamentary investigation into the breach's circumstances and government superinjunction's lifting enables public scrutiny of government decisions that affected thousands of lives and committed billions in public expenditure without democratic oversight. Many affected Afghans only learned of their exposure through government emails sent Tuesday, nearly three years after the initial breach. Also read: Pakistan in no rush to recognise Taliban government in Afghanistan, say officials Ongoing security concerns for Afghan refugeesIndividuals in the UK and Pakistan reportedly still possess copies of the compromised database, with at least one case involving monetary exchange for the information. The MoD has implemented new security software and appointed a chief information officer to prevent future breaches. Former British Ambassador to Afghanistan Sir William Patey described the incident as a "spectacular data breach," noting that the Taliban were already targeting individuals associated with western forces. "Providing the Taliban with a list would have made their job that much easier," he told Times Radio. The breach highlights systemic data security failures within the Ministry of Defence, with legal experts noting it represents "just the latest in a long line of data breaches by the MoD of personal data of Afghan citizens who had previously worked with UK armed forces."
Time of India
2 days ago
- Politics
- Time of India
British military Afghan data breach exposed: government cover-up risked 100,000 lives
Massive Afghan data breach reveals government secrecy The British military faces scrutiny after a catastrophic data breach exposed up to 100,000 Afghans to potential Taliban retaliation, prompting successive governments to deploy an unprecedented legal cover-up lasting nearly two years. In February 2022, a British soldier accidentally transmitted a database containing 33,000 Afghan records to unauthorized recipients while attempting to verify sanctuary applications. The breach remained secret until August 2023, when an anonymous Afghan threatened to publish the information on Facebook. Also read: UK defence ministry fined for Afghan data breach during ... Taliban kill list threatens Afghan lives The leaked database included sensitive personal information about Afghans who had applied for the UK's Afghan Relocations and Assistance Policy (Arap), along with family members' details, phone numbers, and email addresses of British government officials. Government lawyers warned that if the Taliban obtained the dataset, as many as 100,000 Afghans would face "risk of death, torture, intimidation or harassment." The figure encompassed primary applicants and their family members, some of whom were specifically named in the compromised records. "The fact that the Taliban may be in possession of 33,000 Arap applications, including the primary applicants' phone numbers and all the case evidence, is simply bone-chilling," wrote Person A, an activist helping Afghan refugees, in an email to then-Armed Forces Minister James Heappey. Operation Rubific: secret evacuation mission Following the breach discovery, the Ministry of Defence launched Operation Rubific, a covert mission to evacuate affected Afghans while preventing public disclosure. The operation included the largest peacetime covert evacuation in British history. Live Events Defence Secretary John Healey revealed Tuesday that 18,500 Afghans affected by the breach have already been relocated to the UK, with an additional 5,400 scheduled for evacuation. The total cost of addressing the breach reached £850 million for 6,900 individuals, according to MoD figures. Also read: UK launched secret scheme to relocate Afghans after data leak, documents show Government superinjunction prevents media coverage The Conservative government secured a superinjunction from the High Court on September 1, 2023, preventing any public disclosure of the breach or the court order's existence. The order remained in place for 683 days, making it the longest superinjunction in British legal history and the first sought by a government. Labour continued advocating for the superinjunction after taking power in July 2024. Mr Justice Chamberlain criticized the order as a "wholly novel use" of superinjunctions, stating it was "fundamentally objectionable for decisions that affect the lives and safety of thousands of human beings, and involve the commitment of billions of pounds of public money, to be taken in circumstances where they are completely insulated from public debate." £7 billion Afghan response plan approved in secret While the superinjunction remained active, the government approved spending up to £7 billion over five years to relocate 25,000 affected Afghans under the secret Afghan Response Route (ARR) scheme. Chancellor Rachel Reeves signed off on the plan in October 2024, with the cabinet's home and economic affairs committee deeming it "appropriate." The policy was subsequently expanded in June 2025 to include more than 42,500 individuals before an independent review questioned its necessity. Defence Secretary Healey announced Tuesday the closure of the ARR scheme, leaving thousands of affected Afghans behind. Data breach timeline reveals government delays The breach originated when a soldier working under General Sir Gwyn Jenkins at Regent's Park Barracks sent the database to Afghan contacts twice in February 2022. The recipients passed the information to other Afghans, with at least one copy reaching individuals in Pakistan. The MoD remained unaware of the breach until August 14, 2023, when an anonymous Afghan posted details on a Facebook group, threatening to publish the complete dataset. Government officials immediately alerted approximately 1,800 Afghans in Pakistan about potential data compromise. Also read: Largest population purge this decade? Iran expels half a million Afghans in rapid crackdown post-Israel wa Independent review questions superinjunction justification Retired civil servant Paul Rimmer's independent review, ordered by Defence Secretary Healey, concluded that early Taliban targeting concerns had "diminished" and the superinjunction may have worsened the situation by increasing the dataset's value to hostile actors. The review noted that given existing Taliban intelligence capabilities, the dataset was "unlikely to provide considerably new or highly pertinent information." It also warned that publicity surrounding the breach revelation would "clearly be likely to attract Taliban interest in obtaining it." Legal action threatens £250 million government payout Manchester-based Barings Law represents approximately 1,000 breach victims preparing legal action that could cost taxpayers more than £250 million. The firm criticized the MoD's response as "wholly inadequate," particularly an email apology sent to affected individuals Tuesday morning. "Through its careless handling of such sensitive information, the MoD has put multiple lives at risk, damaged its own reputation, and put the success of future operations in jeopardy by eroding trust in its data security measures," Barings Law stated. Parliamentary accountability demands government transparency Defence Secretary Healey apologized to Parliament Tuesday for the "serious departmental error," acknowledging that "full accountability to parliament and freedom of the press matter deeply to me — they're fundamental to our British way of life." Defence Committee Chairman Tanmanjeet Singh Dhesi called the situation "a mess and wholly unacceptable," indicating potential parliamentary investigation into the breach's circumstances and government response. The superinjunction's lifting enables public scrutiny of government decisions that affected thousands of lives and committed billions in public expenditure without democratic oversight. Many affected Afghans only learned of their exposure through government emails sent Tuesday, nearly three years after the initial breach. Also read: Pakistan in no rush to recognise Taliban government in Afghanistan, say officials Ongoing security concerns for Afghan refugees Individuals in the UK and Pakistan reportedly still possess copies of the compromised database, with at least one case involving monetary exchange for the information. The MoD has implemented new security software and appointed a chief information officer to prevent future breaches. Former British Ambassador to Afghanistan Sir William Patey described the incident as a "spectacular data breach," noting that the Taliban were already targeting individuals associated with western forces. "Providing the Taliban with a list would have made their job that much easier," he told Times Radio . The breach highlights systemic data security failures within the Ministry of Defence, with legal experts noting it represents "just the latest in a long line of data breaches by the MoD of personal data of Afghan citizens who had previously worked with UK armed forces."
North Wales Chronicle
2 days ago
- Politics
- North Wales Chronicle
Ministry of Defence data breach timeline
Here the PA news agency looks at the timeline of events in the data breach and how governments responded to it: – 22 February 2022 A UK Government worker accidentally emails a dataset containing the personal information of nearly 19,000 people who applied for the Afghan Relocations and Assistance Policy (Arap) outside of a secure government system. He sends the email in an attempt to verify information, believing the dataset to only contain around 150 rows of information. It contains around 33,000. – 14 August 2023 An anonymous Facebook user posts a small excerpt of the dataset on the social media site. The Ministry of Defence (MoD) is notified. Around 1,800 Arap applicants in Pakistan are sent a warning via WhatsApp by UK officials that their data may have been breached. – 15 August James Heappey, then armed forces minister, is sent an email warning by a civilian volunteer who assists Arap applicants after they discover the data breach. The volunteer says: 'The Taliban may well now have a 33,000 long kill list – essentially provided to them by the UK government. 'If any of these families are murdered, the government will be liable.' – 16 August The incident is reported to the Information Commissioner's Office, and later to the Metropolitan Police. – 17 August A journalist from the Daily Mail contacts the directorate of defence communications, which includes the MoD press office, seeking comment on a story he wished to run about the breach, without disclosing the personal information lost. The journalist later agrees not to publish until the MoD has a chance to implement 'protective measures'. – 18 August A representative of Facebook's parent company Meta says that the post has been removed, after requests from the MoD due to the 'risk of physical harm'. – 22 August A journalist from The News Agents podcast contacts the Foreign, Commonwealth and Development Office and says he has information about the data incident. This journalist also agrees not to publish until protective measures completed. – 25 August Then defence secretary Ben Wallace 'personally' makes the decision to apply for a court order. – 1 September The MoD asks the High Court for an injunction for approximately four months so that the government 'may do everything it reasonably can to help those who might have been put at further risk'. Judge Mr Justice Robin Knowles grants a superinjunction until a planned hearing on December 1. The superinjunction, which is made 'against the world', rather than named individuals, is the first of its kind. – 18 September Head media judge Mr Justice Nicklin describes the superinjunction as 'wholly exceptional' and say it 'must be kept under active review by the court'. He brings the planned hearing forward. – 13 October The MoD asks for the superinjunction to continue, with the department's deputy chief operating officer saying in written evidence that the threat to those in the dataset is 'grave'. – 16 November Cabinet committee, the Domestic and Economic Affairs committee meets. Notes from the meeting show plans to establish a compensation scheme, at a cost of between £120 million and £350 million not including administration, once the data breach is made public. – 23 November Mr Justice Chamberlain gives a private judgment where he says granting a superinjunction to the Government 'is likely to give rise to understandable suspicion that the court's processes are being used for the purposes of censorship'. He decides to continue the superinjunction 'for a period of four weeks'. – 12 December John Healey, then shadow defence secretary, is served with the superinjunction and given an initial briefing. – 18 December MoD lawyers describe the risk to life as 'immensely serious, and extends to thousands of individuals' in written submissions. Mr Justice Chamberlain extends the superinjunction until February. – 19 December The Domestic and Economic Affairs committee meets again and says that a new route of settlement in the UK should be offered to some individuals who were ineligible for Arap. This is agreed to be a targeted cohort of around 200 people and their dependents at the highest risk following the data breach, called the Afghanistan Response Route (ARR). – 15 February 2024 Mr Justice Chamberlain continues the superinjunction, finding a 'real possibility that it is serving to protect' some of those identified on the dataset. He adds in a second judgment: 'What is clear is that the Government has decided to offer help to only a very small proportion of those whose lives have been endangered by the data incident and that the decisions in this regard are being taken without any opportunity for scrutiny through the media or in Parliament.' – 21 May Mr Justice Chamberlain rules that the superinjunction should be lifted, but gives the MoD 21 days before the lifting comes into effect. He says there is a 'significant possibility' the Taliban know about the dataset, adding it is 'fundamentally objectionable' that decisions about thousands of people's lives and billions of pounds of taxpayers' money are being taken in secret. – 25 June A two-day hearing behind closed doors starts at the Court of Appeal, as the MoD challenges the decision to end the superinjunction. – 26 June At the end of the hearing, Court of Appeal judges announce that the superinjunction will continue. In a later written ruling, judges Sir Geoffrey Vos, Lord Justice Singh and Lord Justice Warby say: 'As the number of family members involved is several times the number of affected people, the total numbers of people who would be exposed to a risk of death or serious harm if the Taliban obtained the data is between 80,000 and 100,000.' – 4 July Labour enters Government following the general election. – 11 November The High Court is told by a barrister representing multiple media organisations that the government made a 'misleading' public statement about applications for assistance from Afghanistan. Jude Bunting KC adds in written submissions: 'It is a matter of concern that the public did not know that the claimant had put over 90,000 lives at risk in the recent general election, by reason of this superinjunction.' – 3 February 2025 A review of the data incident response says current plans for the Afghanistan Response Route would mean relocating more Afghans under it than had been relocated under Arap, and would extend schemes for another five years at a cost of around £7 billion. The document, addressed to the Defence Secretary, recommends a review. – 19 May The High Court is told by a Manchester-based law firm that it has more than 600 potential clients who may sue the Government under data protection laws. – 4 July The Defence Secretary concludes that the Afghanistan Response Route should be closed following an independent review which finds the data breach is 'unlikely to profoundly change the existing risk profile' of those named. The review by retired civil servant Paul Rimmer also said that the government possibly 'inadvertently added more value to the dataset' by seeking the unprecedented superinjunction and implementing a bespoke resettlement scheme. Government lawyers tell the High Court that in light of the decision to close the Afghanistan Response Route, the superinjunction 'should no longer continue'. – 15 July Mr Justice Chamberlain lifts the superinjunction.
