The Ministry of Defence (MoD) was explicitly warned about the risks of sharing spreadsheets containing hidden tabs before a major data breach exposed the personal details of nearly 19,000 Afghan nationals, newly released documents show.
The Information Commissioner’s Office (ICO) published internal records this month confirming that MoD staff had guidance in place cautioning against hidden data in documents at the time of the leak. Despite this, in 2022, an MoD official sent out a spreadsheet containing a concealed tab with sensitive details of Afghans seeking resettlement in the UK after the Taliban takeover.
The exposed data included names, contact details, and in some cases, information about family members of individuals with links to British forces during the war in Afghanistan—details that many feared could put lives at risk. The government has estimated the fallout from the breach could ultimately cost taxpayers around £850 million, making it what officials privately described as “the most expensive email ever sent.”
Initially, reporting of the breach was blocked by a High Court super-injunction in September 2023, which remained in place until last month.
Shortly after the incident came to light internally, the MoD notified the ICO, as required by law. The regulator held a series of confidential meetings with government officials over the following two years. However, documents reveal that ICO staff expressed unease about the decision not to launch a full investigation or issue a fine, despite previously levying a £350,000 penalty for a smaller Afghan-related data breach in 2023.
Internal correspondence showed staff worried about “reputational risk” to the regulator, with one employee noting the reasoning for avoiding enforcement action amounted to an “imperfect answer.”
The ICO said its focus had been on ensuring the government improved data security. But in its published memo, the regulator also stressed that lessons had not yet been fully learned. “The MoD was aware of the risks of sharing data and explicitly referenced the need to remove hidden data from datasets,” the memo noted.
Hidden tabs, a standard feature in spreadsheet software, can conceal data from casual view but remain accessible if settings are changed—posing significant risks when sensitive information is involved.
The MoD has said it has since strengthened procedures to avoid future breaches. However, critics argue that the lack of financial penalty undermines accountability for a failure that left thousands of vulnerable people at risk.
The ICO released the documents earlier this month in response to a Freedom of Information request, shedding light on the behind-the-scenes handling of one of the UK’s most serious government data leaks in recent history.
