John Healey apologises after Afghan data leak revealed — as it happened

And although concerns about potential misuse of superinjunctions had prompted assurances in the past that they would be applied for only to cover very short periods, that approach had been abandoned under the guise of national security.

Parliament was also blinded, prevented from examining an issue of great public importance. The result was a lack of scrutiny that shut down the ordinary mechanisms of democracy.

Read in full: Did the risk ever justify the secrecy in this Kafkaesque calamity?

The superinjunction on the Afghan data leak was designed to be in place for four months. Instead it lasted 683 days.

The draconian gagging order, the first to be obtained by the government, was revealed on Tuesday after a two-year legal battle led by The Times.

Its gagging power was so wide-ranging that journalists were prevented from asking basic questions about how the leak happened, who knew what when and who should be held to account.

Read in full: How the British state used a celebrity gag order to hide its huge blunder

Amnesty International UK’s refugee and migrant rights director Steve Valdez Symonds said the breach was “deeply troubling”.

He said the case “raises urgent and serious questions about how the UK exercises its immigration powers”.

Symonds said: “Decisions about whether those who served alongside British forces in Afghanistan are granted protection have too often been slow, disjointed, and, at times, alarmingly indifferent to the risks these individuals face under Taliban rule.

“This is yet another failure in a long line of broken promises to people the UK owes protection — including the refusal to safeguard Afghan special forces, failures to promptly reunite families, and the recent premature decision to close Afghan schemes.”

The Conservatives should “never be forgiven” for the breach and cover-up, Nigel Farage has said.

In a video posted to social media, the leader of Reform said the scandal was a story of “incompetence, dishonesty and a threat to our own national security”.

He claimed that among the Afghans flown over to the UK were “convicted sex offenders” and women were at risk from the scandal.

Farage said the £7 billion price tag was “staggering” and the cover-up policy had continued under Labour.

The government has launched a “data incident self-checker” for people who applied to Afghan relocation schemes to check if they were included in the breach.

People can check by entering their application reference number or filling out a contact form.

The government is asking people not to call them to ask these questions as “for data protection and security reasons, our call handlers are unable to discuss personal data over the phone”.

Downing Street declined to say whether the official responsible for the Afghan data breach has faced disciplinary action.

Asked whether they were still employed by the government, the prime minister’s official spokesman said: “We wouldn’t, obviously, as you’d expect, comment on individuals.”

No 10 also would not commit to never again using a superinjunction to prevent reporting of its actions.

The spokesman said: “The government of course welcomes, and as a matter of principle thinks it is right, as you can see in this case, for the public and Parliament to be able to scrutinise all of government’s plans.”

But asked whether he was ruling out future superinjunctions, he said: “I don’t think it’s something I can comment on.”

The data breach “should never happen again” but “no further regulatory action is required”, the Information Commissioner’s Office has said.

Emily Keaney, Deputy Commissioner, said: “While we have been unable to comment on this matter publicly until now, I want to reassure the public that our expert team has been working behind the scenes to support and providing scrutiny to this internal investigation into what is a complex and sensitive situation.

“We have been clear with the MoD that this incident is unacceptable and should never happen again — the stakes are simply too high. The public must be able to trust that the government has measures in place to protect the personal information and security of the most vulnerable people.”

She added: “We’re reassured that the MoD’s investigation has resulted in taking necessary steps and minimised the risk of this happening again. We are satisfied that no further regulatory action is required at this time in this case.”

It is “absolutely right” that the government acted to bring those exposed by the data breach to the UK, the Green Party has said.

Ellie Chowns, the Green Party spokesperson for foreign affairs, said: “This breach should never have happened.

“Yet, in the face of this appalling mistake, it is absolutely right that the government acted decisively to bring those exposed to safety in the UK.

“These courageous people stood by us at great personal peril and put their trust in the government to not expose them to more risk; the UK owes them nothing less than safe refuge and a chance to rebuild their lives in security and dignity in Britain.”

The government has urged anyone who may have been affected by the data breach to be cautious and take certain steps to protect themselves.

In its guidance, the Ministry of Defence said: “If you believe that you or your family members have been affected, you should be vigilant. You should be especially careful if an unknown person contacts you.”

They advised people to:

• Not respond to calls, messages or emails from unknown contacts
• Limit who can see social media profiles and not accept requests from unknown individuals
• Consider shutting the social media account down if any suspicious activity is suspected
• Monitor online accounts to check for unauthorised access or change in settings
• Use a VPN wherever possible
• Be wary of unsolicited emails requesting money
• Be wary of telling others that personal data may be vulnerable

People possibly affected were also told not to travel to a third country without a valid passport and visa.

The defence secretary refused to specify the role of the person who carried out the leak.

The Tory MP Lincoln Jopp, who commanded the Scots Guards in 2010 in Afghanistan, pointed out that John Healey said it was a defence official, while The Times is reporting it was a soldier.

Jopp said: “I do think it is worth clarifying … because conflating the term defence official to cover members of the armed forces is something which might come back to bite the secretary of state if he continues to do it.”

Healey dodged the question, saying: “The challenge this government faced was far bigger than the actions of one official that long ago. My full focus has been to get to grips with the costs, the proportionality of the schemes and this lack of accountability to Parliament, freedom of the press and public knowledge.”

The data breach situation is “a mess and wholly unacceptable”, the chairman of the defence committee told the Commons.

The Labour MP Tanmanjeet Singh Dhesi said he was “minded to recommend to my defence committee colleagues that we thoroughly investigate, to ascertain what has actually transpired here, given the serious ramifications on so many levels”.

Healey told the Commons he was not aware of further superinjunctions, an order by which even the existence of the order is kept secret.

Mark Pritchard, a Conservative MP, asked: “The precedent of a superinjunction is very concerning for this place. How do we know there’s not another superinjunction about another leak? But of course he couldn’t tell us, could he?”

The defence secretary responded: “If there is another superinjunction, I’ve not been read in.”

Healey said thousands fewer Afghans would come to the UK after he ended the secret evacuation scheme and acknowledged the data breach in a statement to parliament.

He added that the taxpayer would pay “£1.2 billion less” as a result.

The government has installed new software to securely share data, Healey said.

Asked by James Cartlidge, the shadow defence secretary, about work on “moving to a more secure system”, Healey pointed out that this data leak was “just one of many from the Afghan schemes” during the Conservative government.

Since Labour came to office, Healey said the government had appointed a new chief information officer and installed the software, as well as completed a “comprehensive review of the legacy Afghan data on the casework system”.

The Ministry of Defence “seems institutionally incapable of keeping information secure”, a specialist data breach lawyer has said.

Sean Humber from the law firm Leigh Day said the breach could “only be described as catastrophic”, adding: “Unfortunately, this is just the latest in a long line of data breaches by the MoD of personal data of Afghan citizens who had previously worked with UK armed forces.

“There is now an urgent need for a thorough and independent review of the MoD’s whole data-processing policies and practices in order to try and prevent yet further breaches.”

Afghan citizens who had applied for relocation to the UK have already expressed their concern “at the risks posed by their personal information now being in the hands of the Taliban, who continue to imprison, torture and kill those suspected of previously assisting international forces”, he said.

Sir William Patey, the former British ambassador to Afghanistan, told Times Radio it was a “spectacular data breach” and that Afghans who worked for the British Army, Nato forces or the UK government were placed at risk.

“Certainly the Taliban were going around looking for individuals who had been associated with the previous regime and were working with Nato,” he said. “So there was no doubt that they were at risk. Providing the Taliban with a list would have made their job that much easier. It wouldn’t have been the only method they had of tracking people down.”

He added the “spectacular mistake” had resulted in the government bringing more Afghans to Britain, and at a quicker pace, than it otherwise would have done.

James Cartlidge, the shadow defence secretary, was a minister in the MoD in August 2023, when the Conservative government at the time became aware of the data breach. He has also apologised in the Commons, saying: “This data leak should never have happened and was an unacceptable breach of all relevant data protocols”.

He added: “It is nevertheless a fact that cannot be ignored that, when this breach came to light, the immediate priority of the then-government was to avoid a very specific and terrible scenario — namely, an error by an official of the British state leading to torture or even murder of persons in the dataset at the hands of what remains a brutal Taliban regime.

“As the Rimmer review confirms, that scenario, thankfully, appears to have been avoided.”

The Times understands a regular soldier working under the command of General Sir Gwyn Jenkins, the current head of the Royal Navy, leaked the list — twice — in February 2022 as he was trying to verify Afghan applications to come to Britain.

He sent the database to Afghans in the UK who then passed it on and in at least one case one of them threatened to publish it. One of the Afghans who received the list is understood to have been brought to Britain along with seven members of their family.

It was not until August 2023, 18 months later, that the MoD was alerted to the data breach when an anonymous Afghan threatened to publish the list in a post on Facebook. An extraordinary mission called Operation Rubific was launched to protect lives and cover up the data leak.

• Read more: Inside Operation Rubific — ‘kill list’, secrecy and a rescue mission

Healey has apologised for the leaked spreadsheet, saying it was a “serious departmental error”.

He went on to acknowledge his statement would prompt much scrutiny, adding that “full accountability to parliament and freedom of the press matter deeply to me — they’re fundamental to our British way of life”. A swifter public statement was not possible because “lives may have been at stake”, he said.

Healey has ordered a shift in policy that will mean the vast majority of those affected by the data breach will be left in Afghanistan.

Some 5,400 more Afghans affected will be brought to Britain in the coming weeks because they have already received invitation letters, taking the total number of those caught up in the breach and brought to the UK to 23,900 Afghans. No new applications will be accepted as the schemes are shut down.

A total of 18,500 Afghans affected by the data breach have been flown to the UK so far. Of those, 4,500 of them were secretly brought under a new scheme that was shut down before the public and MPs even knew it existed.

Those brought to Britain had no idea they had been put at risk by a leak of their confidential data.

MoD housing and hotels have been used to handle the fallout and there are concerns bed spaces could soon run out as councils “creak under the pressure”, court documents disclosed. The government said it feared rioting, especially because the superinjunction has been lifted during the summer, when the risk is deemed to be higher.

Barings Law, a Manchester-based firm acting for about 1,000 victims of the data breach, is preparing legal action that could cost taxpayers more than £250 million. In a statement it said this was an “incredibly serious data breach, which the Ministry of Defence has repeatedly tried to hide from the British public”.

“Through its careless handling of such sensitive information, the MoD has put multiple lives at risk, damaged its own reputation, and put the success of future operations in jeopardy by eroding trust in its data security measures,” it said.

It said the MoD had issued an email apology to those affected this morning but “failed to meet its legal obligation to clearly inform victims about exactly what personal data was compromised, instead advising them to take steps such as deleting their social media profiles”.

This response, according to Barings, was “wholly inadequate”, and it expected “substantial financial payments” for each claimant in any future legal action.

John Healey, the defence secretary, is outlining the data blunder and revealing the existence of the unprecedented superinjunction to the House of Commons.

He said it had been “deeply uncomfortable to be constrained from reporting to this House”. Healey said the superinjunction was granted and the secret resettlement route created under the previous Conservative government, adding: “I’m closing this resettlement route, I’m disclosing the data loss.”

Since its election the Labour government has advocated for the superinjunction to remain in place, until the recent change in the Ministry of Defence’s risk assessment.

Healey added: “No government wishes to withhold information from the British public, from parliamentarians or the press in this manner.”

The superinjunction was abandoned by the government after an independent review by the retired civil servant Paul Rimmer, which said early concerns about the risk of the Taliban targeting those on the list had “diminished” and the superinjunction may have made matters worse.

It concluded that given the extent of data already available, the dataset was “unlikely to provide considerably new or highly pertinent information to the Taliban”. It also noted that the “glare of publicity around revelation of the data loss would clearly be likely to attract Taliban interest in obtaining it”.

The review raised serious questions about whether the injunction was justified for the duration of the time it remained in place and the risk assessment on which it was based.

While the superinjunction remained in force the government signed off proposed plans to spend £7 billion of taxpayers’ money on bringing 25,000 of the affected Afghans to the UK. These were not previously eligible to come under existing government schemes.

Significant policy decisions were made affecting the budget, housing and immigration policy without any parliamentary scrutiny. As recently as June ministers then secretly planned to bring more of those Afghans at risk — totalling more than 42,500 people — before an independent review ordered by Healey, said that may no longer be necessary.

The injunction’s gagging power had been so wide-ranging that journalists were prevented from asking basic questions and the government said it needed to “provide cover” for large numbers of Afghans arriving, arguably misleading parliament by not explaining the whole story.

The Ministry of Defence feared that if knowledge of the dataset became public then the Taliban would find it and be able to start working through what one activist described as a “kill list”.

Conservative ministers secured a superinjunction in the High Court on September 1, 2023, which prevented anyone reporting the incident or that a court order even existed. When Labour came to power in July 2024 they continued to argue it should remain in place and it was not until January this year that John Healey, the defence secretary, ordered a review of the policy.

Afghans who were on the “kill list” were not told that their lives may be at risk despite concerns the Taliban could suddenly come into possession of the list.

At about 10am on Thursday January 25, 2024, I called a senior member of the Ministry of Defence press office, whom I had known for years, to tell them I was aware of a data leak. It had put lives at risk and it was the subject of a superinjunction, I said.

I told him I had known about the matters for some time and wanted to join the court proceedings. I did not realise at the time that everything I said during that initial phone call would be written down and submitted to the High Court. It would form part of a 1,568-page bundle of evidence documenting the longest ever superinjunction and the only to be sought by a government.

I had no idea of the magnitude of what I was dealing with.

• Read in full: Our defence editor recounts being silenced by government

Tens of thousands of Afghans have begun receiving an email from the UK government telling them their data has been breached. In the email, seen by The Times, they are warned their information was sent outside “secure systems” and may have been “compromised”. “We understand this news may be concerning,” it says.

The email urges the Afghans to “exercise caution and not take phone calls or respond to messages or emails from unknown contacts”. It also urges Afghans not to travel to third countries without a valid passport and visa.

“If you do so, you will be putting yourself at risk on the journey, and you may face the risk of being deported back to Afghanistan,” it says. One activist told The Times her phone was “blowing up” with messages from concerned Afghans.

Alarm bells rang in the summer of 2023 when an activist helping Afghans who had served with UK forces during the war reached out to a defence minister.

It was 9.57am on Tuesday, August 15. “Person A”, as she later became known in court documents, was panicking.

She had become aware of a massive data breach involving tens of thousands of Afghans. What the government did next — and how quickly — was a matter of life and death.

• Read in full: MoD evacuates Afghans — without them knowing why

Successive governments had tried to stop the public and parliament from knowing about the data breach in the Ministry of Defence, which it had said put up to 100,000 Afghans at risk of torture and death.

The Afghans, some of whom had served alongside UK forces during the war, had applied for sanctuary in the UK because of fears they could be targeted by the Taliban.

But a database containing their confidential information, including their contact details and names of their family members was sent by a British soldier to Afghans already in the UK who then passed it on to individuals in Afghanistan. One of those who received the dataset threatened to post its contents in a Facebook group 18 months later.

The British military is responsible for a data leak that put up to 100,000 Afghans at risk of death — and successive governments have spent years fighting to keep it secret using an unprecedented superinjunction.

UK government officials were left exposed when in February 2022 a soldier inadvertently sent a list of tens of thousands of names to Afghans as he tried to help verify applications for sanctuary in Britain.

• Read in full: ‘Kill list’ sent in error leads to £7bn cover-up

The longest ever superinjunction and the first to have been secured by the government has been lifted in the High Court after nearly two years and a lengthy legal battle spearheaded by The Times.

Mr Justice Chamberlain said the “long-running and unprecedented” order, which stopped the world from knowing about a data breach concerning Afghans applying to come to Britain, had given rise to “serious free speech concerns” and had left a “scrutiny vacuum”.

Handing down his judgment at midday on Tuesday, he said the gagging order had the effect of “completely shutting down the ordinary mechanisms of accountability which operate in a democracy”. The superinjunction was in place for 683 days.