MoD warned over Excel risks before Afghan data breach

Published: 14 November 2025. The English Chronicle Desk. The English Chronicle Online.

The Ministry of Defence was aware of the dangers of relying on outdated and inappropriate data management systems long before one of the most serious information breaches in modern British history exposed the identities of nearly 24,000 Afghans and their families. That is the stark conclusion of a cross-party group of MPs, who say the Government repeatedly ignored clear warnings and failed to upgrade its handling of sensitive personal information, even as the security situation in Afghanistan deteriorated and the risk to those seeking sanctuary in Britain grew more acute.

The House of Commons Public Accounts Committee issued a sharply critical assessment of the failures that led to the 2022 Afghan data leak, describing a pattern in which lessons were not learned from previous breaches and internal safeguards were not strengthened despite mounting evidence that the Ministry’s reliance on Microsoft Excel was placing thousands of lives at direct risk. According to the committee, the MoD’s use of basic spreadsheets to process and store confidential data related to the Afghan Relocations and Assistance Policy scheme represented a systemic vulnerability that had been allowed to continue unchecked.

The spreadsheet error that triggered the crisis occurred when the names of almost 19,000 applicants under the Arap scheme were mistakenly attached to an email and shared widely instead of being held within a secure system. Shortly afterwards, a second group of approximately 5,000 individuals and relatives of Afghan soldiers were also swept up in the fallout. Although the breach took place during a period of heightened international tension, MPs say it was not an unforeseeable accident but the culmination of repeated failures to modernise and protect the information of those whose lives depended on the UK’s promise of safety.

The consequences were immense. The data leak instantly exposed thousands of Afghans who had cooperated with the British military, placing them and their families at grave risk of reprisals from the Taliban. It forced ministers into an emergency relocation plan that the committee describes as both costly and opaque, with officials struggling to account fully for the financial implications. The MoD initially estimated the five-year cost of the relocation scheme at £850 million, but MPs now say this figure does not include potential compensation claims or the expenses associated with legal action arising from the breach. Nor does it capture the practical and humanitarian challenges of resettling tens of thousands of people who had every reason to believe they were protected by the British state.

What has made the episode even more contentious is that it was kept hidden from the public for 683 days. The decision by two successive governments to impose an unprecedented super-injunction prevented any reporting on the breach, effectively shielding the Ministry from scrutiny while emergency support operations were quietly unfolding behind the scenes. That legal order was eventually overturned following a challenge from The Telegraph and other media organisations, who argued that public interest in the scale and seriousness of the incident outweighed the Government’s case for secrecy.

The committee’s report points out that warning signs were evident long before the 2022 breach. In 2021, the MoD reported data incidents to the Information Commissioner’s Office that were significant enough to draw formal attention and raise alarms about the Ministry’s practices. One of those incidents led to a £350,000 fine in 2023 after the personal details of Afghans fleeing the Taliban were accidentally shared with 245 email recipients. MPs say these earlier episodes should have prompted urgent reform. Instead, the Ministry continued to rely on spreadsheets and inadequate internal control systems at a time when it was handling some of the most sensitive information in government.

Sir Geoffrey Clifton-Brown, the committee’s chairman and a long-serving Conservative MP, said the findings painted a picture of a department that had resisted necessary changes despite clear evidence of escalating danger. Speaking after the release of the report, he warned that the MoD’s repeated failures had placed thousands of lives at risk and left taxpayers facing a bill running into hundreds of millions of pounds.

He noted that the committee had “no confidence” that such a breach could not happen again, adding that the Ministry’s culture, processes and oversight mechanisms remained too weak to prevent further exposure of personal information. He argued that the reliance on outdated systems like Excel, while simple and familiar to many staff, was wholly inappropriate for handling the confidential details of individuals seeking protection from a hostile regime.

The MPs’ findings have reignited questions about how government departments manage critical information and whether sufficient investment has been made in secure digital infrastructure, particularly in areas involving refugees, defence personnel, and confidential operational data. While the MoD has pointed to improvements since the breach, including the introduction of a new secure casework system specifically for Afghan resettlement, the committee maintains that these changes have been slow, insufficient and reactive rather than proactive.

In response to the report, a spokesman for the Ministry of Defence acknowledged that the 2022 incident “should never have happened” and said the department was continuing to make improvements. He insisted that the Government had never hidden the overall cost of Afghan resettlement, noting that spending figures were published in the 2024 audit, and reiterated that the estimated £850 million cost of the Afghanistan Response Route scheme remained accurate. He also defended the decision to lift the super-injunction earlier this year, describing it as an important step in enabling public and parliamentary scrutiny.

While the Government maintains that it is taking steps to prevent such failings from recurring, the committee’s judgment underscores a deeper problem: a culture within parts of the MoD that has been slow to adapt to the complexities of modern data security. The report describes a “failure to learn lessons” that extended across several years and multiple departments, suggesting that the Afghan data breach was not simply a technical error but a symptom of wider institutional shortcomings.

For the thousands of Afghans whose names were exposed, many of whom had risked their lives to support British forces, the impact of the breach has been profound. Relocation to the UK has offered safety for some, but many remain in precarious situations, separated from families or still waiting for the full support they were promised. The leak also placed enormous pressure on refugee services, legal advisors and humanitarian organisations, which have spent the last three years working to protect those whose identities were compromised.

As Britain continues to process the long aftermath of the breach, the Public Accounts Committee’s report serves as a stark reminder of the human cost of failing to protect sensitive information. Beyond the financial burden and political ramifications, the episode highlights the essential responsibility that government departments bear when handling the personal details of vulnerable individuals. The MoD’s challenge now is to demonstrate that it has not only understood the seriousness of its past mistakes but is capable of preventing history from repeating itself.