Ministry of Defence staff were warned before the Afghan data leak not to share information containing hidden tabs, according to documents released by the UK’s data regulator.
Last month it emerged that the details of almost 19,000 people fleeing the Taliban who had applied to move to the UK were leaked when an official emailed a spreadsheet that contained a hidden tab with the information.
Documents released by the Information Commissioner’s Office (ICO) also show that staff there raised concerns about why the body had not issued a fine to the MoD.
The MoD said they had worked to improve data security, but an ICO spokesperson said the government had not yet done enough to learn the lessons.
According to an ICO memo, guidance in place at the time of the leak showed that the “MoD was aware of the risks of sharing data and explicitly referenced the need to remove hidden data from datasets”.
Hidden tabs are a common feature in spreadsheet software and make information invisible to the user, but still easily accessible if the settings on a document are changed.
The government estimates that the 2022 leak, which led to an emergency resettlement scheme for people at risk of persecution by the Taliban, will eventually cost around £850m.
The leaked document contained the names, contact details and, in some cases, family information of thousands of people who believed their association with British forces during the Afghanistan war could leave them at risk of harm.
A super-injunction granted by the High Court in September 2023 prevented the incident being reported for almost two years, before the order was lifted last month.
Shortly after the MoD became aware of the data breach in 2023, they informed the UK’s data regulator, the ICO. The two bodies held a number of secret meetings over the next two years and documents published by the regulator reveal some of what was discussed.
They say that government officials described the leak as likely “the most expensive email ever sent”, and internal emails also show that ICO staff raised concerns about why the body had chosen not to independently investigate the MoD or issue a fine.
Data breaches by public bodies must legally be reported to the ICO, which can then decide to investigate and potentially fine the organisation responsible.
ICO staff privately discussed the potential “reputational risk” to the regulator after it chose not to take action against the MoD, despite issuing a £350k fine for a much smaller Afghan data breach in 2023.
In an email sent the afternoon before the leak became public, one ICO staff member said their justification for not fining the government was still an “imperfect answer”.
The documents were published by the ICO earlier this month following a Freedom of Information request which was not submitted by the BBC.
Written notes were forbidden during the secret meetings, but an ICO memo detailing the whole timeline was drawn up after the incident became public just last month.
The memo says the MoD took “intensive measures to recover and delete data from all identified sources” and “limit loss of control” after the breach was discovered.
In a private email discussion, one ICO staff member questioned why it was “taking so long to decide whether to investigate” and said “if I was a journalist I would ask why has it taken two years to ascertain whether or not to take action”.
Another said the ICO had played a “significant role” but said “the reality is that we have only been able to review information in situ and been reliant on the MoD to gather evidence under our guidance”.
Documents show the ICO ultimately decided against sanctioning the MoD because it did not want to “impose additional cost to the taxpayer”.
Last week, BBC News revealed there had been 49 separate data breaches in the past four years at the unit handling relocation applications from Afghans seeking safety in the UK.
An ICO spokesperson said they had “focused clearly on making sure that the causes of breaches were identified, rectified and lessons learned”.
They said the government had “not yet done enough to achieve the pace of changes” required and said they had asked for “assurances that necessary improvements are being made and standards are being raised”.
An MoD spokesperson said the government had worked to “improve data security across the department through better software, training and data experts”.
They added: “We have worked hand-in-hand with the ICO during an internal investigation and accepted all recommendations in full to ensure a similar incident doesn’t happen again.”
It comes as it emerged the UK’s Information Commissioner has urged the government to do more to prevent data breaches, such as the Afghan leak.
In July – after the Afghan breach was made public – the commissioner John Edwards wrote a letter to the Chancellor of the Duchy of Lancaster, Pat McFadden, saying the government “needs to go further and faster to ensure Whitehall, and the wider public sector put their practices in order”.
The commissioner said ministers should “as a matter of urgency” fully implement the recommendations of an information security review carried out in the wake of a string of public sector data breaches.
The review, undertaken in 2023 by the previous Tory government, was made public for the first time on Thursday after pressure from Dame Chi Onwurah, chairwoman of the Science, Innovation and Technology Committee.
She said the government “still has questions to answer” about the review and why only 12 of the 14 recommendations have been implemented.
In a letter to Dame Chi, McFadden said “good progress” had been made on improving data standards “but we must guard against complacency”.
“This is an area on which we must keep a consistent focus to ensure standards continue to improve,” McFadden said.