Hundreds of Ministry of Defence (MoD) data breaches have been revealed as questions intensify over its ability to keep sensitive information safe in the wake of the Afghan data breach.
The latest MoD data shows there were 569 incidents in 2023-24 – up from 550 the previous year – which included electronic devices being lost and protected documents not being disposed of properly.
In one incident last year, the details of 272,000 staff – including names and bank details – were breached when one of its systems, run by an external contractor, was hacked by a “malign actor”.
In another case, the MoD was fined £350,000 by the Information Commissioner for a breach related to the handling of emails linked to the Afghan Relocations and Assistance Policy (ARAP) – the scheme to bring Afghans with links to British forces to safety in UK.
Lord Beamish, the chairman of the powerful Intelligence and Security Committee (ISC), has demanded the MoD explain why high-security information is being held on low-security systems.
It follows the revelation this week of a catastrophic data breach, which exposed 100,000 Afghans to potential reprisals from the Taliban, costing the UK taxpayer billions and prompting a three-year cover-up through the use of an unprecedented superinjunction.
Further concerns emerged on Thursday after it was revealed that British spies and special forces soldiers were also potentially exposed by the incident.
Last year, Sir Grant Shapps made a statement to the Commons revealing how hackers had gained access to part of the armed forces’ payment network.
The contractor-operated system in question held the names, bank details, and in some cases addresses of soldiers, reserve personnel and recently retired veterans.
Already, members of the ISC, which has a statutory duty to hold government agencies to account, are furious that the MoD ignored a request by a judge to share the details of the original Afghan data breach with the committee.
But now the Labour peer who chairs the committee has raised questions over whether the MoD’s systems to handle sensitive data are good enough.
Lord Beamish said: “There seems to have been a number of breaches. It raises questions not just about the systems but how they are used. The big unanswered question on the Afghanistan data leak is why such secret information was being held on a low-side system and not a secure encrypted system.”
The ISC has demanded documents relating to the Afghan breach and could launch its own inquiry into the scandal. But the issue is also set to be raised in the inquiry that the Commons defence select committee will hold after the summer recess.
Tan Dhesi, the Labour defence select committee chair, said: “This is going to end up being one of the most costly email blunders in history. It has huge ramifications on so many different levels, including for transparency within our democracy.
“Rigorous safeguards must be in place to ensure that this cannot happen again. It’s shameful that courageous Afghans who served alongside British soldiers have had their safety jeopardised by this leak.
“While our defence committee has agreed to inquire into this shocking situation, we have yet to determine the full scope for that, including who will be called to give evidence.
“The revelation that this breach has also put our brave British service personnel at risk makes the situation even more shocking. I am sure the committee will want to understand how this could have been allowed to happen.”
Another Labour MP on the committee, Calvin Bailey, who was the wing commander responsible for organising extraction flights from Kabul when the Taliban swept to power in 2021, said he didn’t have confidence in the MoD’s systems.
Asked if he thought the MoD is properly protecting data, he said: “No I don’t. Why was this data aggregated on an official unclassified system?”
The Labour for Leyton and Wanstead MP, who has described how the chaos around the retreat from Afghanistan prompted him to give up a glittering military career to enter politics, warned that under-resourcing and understaffing at the MoD also likely contributed to the Afghan data breach.
Former Tory defence secretary Sir Grant Shapps, who oversaw the superinjunction being imposed and the creation and expansion of a secret route to bring Afghans to the UK, has broken his silence to defend his actions.
Sir Grant told the BBC: “You can argue that actually that circle should be wider, but in the end, the number one priority was to make sure that we protected lives and people weren’t murdered.
“It’s a pretty stark decision to make, and the more you open that up, the more likely that is.”
He claimed that “the public understands that there are times where you simply have to act in the most maximalist way”.
The MoD has been approached for comment.
