Afghan Data Leak

           

No point in beating about the bush on this one – the data leak by Britain’s Ministry of Defence (MoD), which reveals details of Afghani nationals who assisted UK armed forces during the war in that Godforsaken country, is a disaster. This, and the subsequent attempts by the UK government to cover it up, constitutes a national scandal of gargantuan proportions.

As everybody knows by now, the information revealed may affect up to 100,000 former Afghan soldiers, interpreters, and their families. There’s no doubt in anyone’s mind that the Taliban have this information now and will use it to hunt down what they regard as traitors and enemies.

The leak, in February 2022, exposed the personal details of 18,714 Afghan nationals who had applied for relocation under the Afghan Relocations and Assistance Policy (ARAP). The data, mishandled by a Royal Marines officer, was emailed insecurely, highlighting vulnerabilities in MoD systems.

This is a scandal on multiple levels. The first of these is that it was able to happen at all.

The ARAP database should have been managed on a system accredited to UK standards like ISO/IEC 27001 and the Government Security Policy Framework (SPF). Accreditation ensures encryption, access controls, and audit trails. No evidence confirms the system was accredited, a critical oversight.

So human error caused the breach of security, but the underlying reason was a systemic failure in MoD data handling protocols. Typically the MoD/government has set the press pack on the track of the individual responsible in an attempt to cover up its own incompetence. But such is the outcry that I don’t think that rather cynical tactic is going to work.

Astonishingly, the leak went undetected until August 2023, when an individual boasted on FaceBook that they had the data. It’s clear that real time monitoring and audit systems, a requirement of the government’s Security Policy Framework (SPF), were absent, delaying response and the risks to those named.

That the government then chose to seek a super injunction to cover up the failure beggars belief. This “contra mundum” order, the first granted to the government, cited national security to protect Afghans from Taliban reprisals. But the real truth is that it was sought to save the MoD and government from the embarrassment of their own incompetence.

The injunction silenced journalists and MPs, creating a “scrutiny vacuum” as noted by the judge who lifted the order earlier this week, raising concerns over government transparency.

 The breach endangered lives, with 17 Afghans believed killed by the Taliban, 14 after the incident. The MoD’s failure to protect those who supported British forces is a profound betrayal of trust. Then the government used Stansted airport and RAF Brize Norton as hubs for unmarked charter flights to relocate Afghans. In addition to the cost to the British taxpayer, this secrecy, described in court as misleading Parliament, clearly aimed at avoiding political fallout.

And so it goes on, and more and more skeletons appear from the closet. Now we learn that over 100 names of UK MI6 operatives, special forces soldiers from the SAS and SBS, and sundry others were also on the list.

Arguably the British personnel will have had ample time to cover their tracks and identities as best they can during the years that the super injunction was in place, and it is unlikely that any are under direct threat from the Taliban. But it is probable that their names have found their way to various organisations in Russia, China, and possibly North Korea and Iran, where they will have been viewed with great interest.

Where did it all go wrong? Unaccredited systems and weak access controls allowed the dataset to be shared insecurely. The MoD’s failure to implement robust technical safeguards was a critical lapse in protecting sensitive data. On top of this, the absence of specific SyOps and inadequate training left ARAP staff unprepared. And the MoD’s reliance on generic policies failed to address the unique risks of the ARAP database.

Worryingly, the MoD’s use of a super injunction and deception reflects a culture where secrecy is prioritised over accountability. This prioritisation of reputation over transparency is at variance with its duty to protect data and lives. Its inability to secure sensitive information must ask questions about its competence as a government department.

All in all, the evidence points to a systemic failure much more than an individual error, and the MoD’s emphasis on a single officer’s mistake is a calculated move to mask this. This breach, concealed by a super injunction, exposes a department incapable of safeguarding data or lives, demanding urgent reform to restore trust.

Nothing more than a full judge-led public inquiry will now be adequate to reveal the truth behind this national embarrassment.

 

Lt Col Stuart Crawford is a defence analyst and former army officer. Sign up for his podcasts and newsletters at www.DefenceReview.uk

 

 

Lt Col Stuart Crawford’s latest book Tank Commander (Hardback) is available now

• http://www.DefenceReview.UK
• @peoplemattertv
• @509298