Afghan data breach is the long shadow of a botched evacuation

Between 14 and 28 August 2021 the UK government evacuated 15,000 Afghans and British citizens from Afghanistan under Operation Pitting. This is a remarkable number in such a short time span, but the number belies “inexcusable” mismanagement.  

The existence of a super-injunction and ‘secret’ relocation scheme resulting from a data breach in 2022 – where a Ministry of Defence official shared the details of 18,714 Afghans – has put the UK’s relationship with Afghanistan back in the spotlight. Only two weeks prior to that revelation, on 1 July, the government closed the remaining schemes available to bring at-risk Afghans to the UK (the “Triples” review, where previously rejected applications from Afghan special forces are being reviewed after it was found they were being treated inconsistently, is the only exception).

Journalists and MPs are asking legitimate and important questions about the novel use of the super-injunction and the length of time it was in place for, and the implications for government scrutiny. The government must not lose sight, however, of the root cause of this situation: a failed crisis response to the withdrawal from Afghanistan in August 2021.

This data breach is part of the long tail of a botched crisis response

Accidental data breaches happen, and it’s impossible to say definitively what would or would not have stopped this one. We do know, however, that the government system for identifying, prioritising and evacuating at-risk Afghans to the UK was abysmal, and this will have greatly increased the likelihood of such a breach.

The picture of the “confusion and chaos” in the FCDO’s crisis response was built up painstakingly by the Foreign Affairs Committee and includes the direct evidence of two civil servants who worked on the evacuation. The FAC’s report is damning: emails from Afghans seeking evacuation being forwarded between six response mailboxes, with no processes for handling or tracking correspondence, many left unanswered and unread, and a “groundhog day” ¹³ i https://committees.parliament.uk/writtenevidence/107001/html/  despair as officials tried to impose order only to see it disappear by the time they next came on shift.

That environment resulted in two things. The first was poor data handling, processing, and security protocols for clearly sensitive information. The second – in part a symptom of the first – is a culture in which individuals felt that circumnavigating government processes was the best way to support Afghans – we have seen reports that the MoD official sent the names to a contact he “hoped would help verify their applications”. ¹⁴ https://www.theguardian.com/commentisfree/2025/jul/15/afghanistan-uk-data-leak-taliban-britain  A better crisis response would have resulted in a very different environment.

Government must learn the lessons from this crisis

Our recent research has found that ministers need to play many roles in a crisis, from decision maker to problem solver. The foreign secretary and FCDO permanent secretary were criticised for being on holiday in August 2021, and it is reasonable to expect they would return during such an event. But this obscures a crucial issue: crisis response systems should be resilient to the absence of key personnel, and when – as was the case in 2021 – they were shown not to be, those leaders should have been able to reimpose order and direction. The data breach that happened months later is one indicator they failed to do so.

The lack of leadership – in the resilience of the systems in place, and over time – meant core decision-making roles weren’t being played. Ministers needed to set clear direction on who was eligible for relocation, and civil servants needed to translate those into action. Instead, there was no clarity on the approach to prioritising groups for evacuation. Take, for example, contractors who had supported the UK: civil servants were told one day they were eligible, and the next they were not. ¹⁸ https://committees.parliament.uk/writtenevidence/107001/html/  Changing decisions as more information becomes available is a valid response; failing to provide clarity on the objectives of those decisions and allowing uncertainty to pervade the system is not.

Part of the reason (among many) for this lack of clarity was a failure of government coordination. Government crisis literature is adamant on the need for a lead minister and department. But policy on evacuation (and indeed the operation as a whole) was being run by FCDO, Home Office and the Ministry of Defence, without the cross-government leadership needed to bring coherence.  

The Foreign Office carried out its own exercise to learn the lessons from the 2021 evacuation. These include commitments to get proper information management sorted at the start of a crisis, to testing cross-Whitehall coordination mechanisms, and to refresh crisis training skills. ¹⁹ https://committees.parliament.uk/publications/22321/documents/165032/default/  It can be all too easy to let these reports languish on the shelf, collecting dust until the next crisis. The Foreign Office is doing its best to avoid that – it has updated parliament on their implementation ²⁰ https://committees.parliament.uk/publications/45184/documents/223715/default/ , and set up a permanent team whose job it is to assure lessons from all crises are really learned.  

The defence secretary is right to say that that “this is bigger than the actions of a single individual”. This data breach should be a sobering reminder of the costs of a poor crisis response, and the importance of implementing those lessons. Healey and his colleagues should take the opportunity now to prepare themselves for the next crisis, and make sure that the systems for responding are working better than they were in 2021.