In what has been described as the most expensive email in history, a British Ministry of Defence official's accidental data breach in February 2022 has cost the UK government up to £2 billion and prompted an unprecedented two-year cover-up involving a secret Afghan resettlement programme.

A spreadsheet containing the personal information of about 18,700 Afghans and their relatives – a total of about 33,000 people – was accidentally forwarded to the wrong recipients by email in February 2022, Defence Secretary John Healey told lawmakers in the House of Commons on Tuesday.

The leaked data included names, contact details, and family information of Afghans who had applied for relocation to the UK between August 2021 and January 2022 following the Taliban takeover of Afghanistan.

The British soldier at the centre of the leak, who had been tasked with verifying applications for relocation, is understood to have mistakenly believed the database contained the names of 150 applicants, when it actually contained personal information linked to some 18,714 people. The official was attempting to send what they thought was a small extract to Afghan contacts in Britain to help verify applications under the Afghan Relocations and Assistance Policy (ARAP).

The spreadsheet contained hidden data that was not visible to the sender. In Excel and similar spreadsheet programs, entire rows and columns can be hidden from view while the data remains present and accessible within the file. When a row or column is hidden, it remains part of the worksheet but is not visible on the screen, yet the data within the hidden sections is still included when the file is sent or shared.

Instead of sending a small extract to his Afghan contacts in Britain, the Royal Marine emailed them a spreadsheet containing hidden data relating to all 25,000+ Arap applicants at the time. The spreadsheet appeared to show only 150 names to the sender, but actually contained the full database of applicants concealed in hidden rows or columns, creating a situation where the full scope of the leak was unknown to the person responsible.

The UK's Ministry of Defence (MoD) became aware of the leak when someone else posted parts of the data on Facebook on August 14, 2023. This meant the government remained unaware of the breach for over 18 months after it occurred.

Economic and Political Consequences

The financial cost of the breach has been staggering. The resettlement is thought to have cost the UK government about 2 billion pounds ($A4.1 billion) in total. Other outlets have reported that the Afghanistan Response Route is expected to cost the UK government a total of 850 million pounds ($1.1bn). Millions more are expected to be paid in legal costs and compensation.

The political fallout has been equally severe. The revelation followed a London judge's order Tuesday to lift a so-called super injunction that prevented any reporting on an email inadvertently sent by a defence official in February 2022. The government used this unprecedented legal measure to keep the breach secret for nearly two years, raising serious questions about democratic accountability.

In a sharp rebuke highlighting the importance of free speech, High Court Judge Martin Chamberlain wrote in his judgment published Tuesday that the gag order "gave rise to serious free speech concerns." "The grant of a super-injunction had the effect of completely shutting down the ordinary mechanisms of accountability which operate in a democracy," Chamberlain wrote.

The leak also exposed sensitive British intelligence assets. U.K. media reported that the names of more than 100 special forces troops, MI6 spies and military officers were part of the leak. Among the United Kingdom Special Forces (UKSF) personnel named are reported to be senior military officers including a major-general and a brigadier.

Security experts have identified two major causes of the data breach.

The first was poor data handling, processing, and security protocols for clearly sensitive information. The second – in part a symptom of the first – is a culture in which individuals felt that circumnavigating government processes was the best way to support Afghans. The Institute for Government noted that the breach occurred partly because normal crisis response protocols had broken down.

Official Government Response

Defence Secretary John Healey issued a formal apology to Parliament on Tuesday. "This was a serious departmental error. It was in clear breach of strict data protection protocols. And it was one of many data losses relating to the ARAP scheme during this period," Healey told MPs.

"I have felt deeply uncomfortable to be constrained from reporting to this house," he said in parliament. "No government wishes to withhold information from the British public, from parliamentarians or the press in this manner."

The Ministry of Defence has indicated it will implement new procedures following the breach. However, this is just the latest in a long line of data breaches by the MoD of personal data of Afghan citizens who had previously worked with UK armed forces. In September 2021, the ARAP scheme faced another data breach when the Ministry of Defence sent an email to over 250 Afghan interpreters which shared the email addresses, names and some associated profile pictures of all other recipients.

Former Defence Secretary Ben Wallace, who made the initial decision to seek the super-injunction, defended his actions in the Daily Telegraph, stating: "It was not, as some are childishly trying to claim, a cover-up. I took the view that if this leak was reported at the time, the existence of the list would put in peril those we needed to help out." He added: "Now the public can see for the first time the true scale of the ineptitude of the British state, through two successive governments, concerning Afghanistan."

Additional reporting by The Telegraph revealed that Taliban sources claimed to have obtained the spreadsheet in 2022 and have been actively "hunting" those that fled the country since by monitoring their families and known associates that remain in Afghanistan.

A senior Taliban official told The Telegraph: "We got the list from the internet during the very first days when it was leaked. We've been calling and visiting their family members to track them down."