Committee publication · Report · 14 November 2025 · HC 1391

54th Report - Afghanistan Response Route

Inquiry: Afghanistan Response Route (ARR)

Government response deadline: 14 January 2026

Summary

The Public Accounts Committee examines the Ministry of Defence's handling of a catastrophic February 2022 data breach affecting 18,700 Afghan applicants for UK resettlement schemes. The Department failed to implement adequate systems for managing sensitive personal data, experienced 49 subsequent breaches, and improperly withheld information from Parliament and the National Audit Office for two years via a super-injunction. The resulting Afghanistan Response Route scheme will cost approximately £850 million to resettle 7,355 affected individuals, though accurate accounting remains incomplete.

Key findings

A February 2022 data breach exposed personal information of 18,700 Afghan applicants when a Defence official accidentally emailed a spreadsheet with embedded hidden data to an external contact; the Department relied on unsuitable Excel spreadsheets and SharePoint rather than purpose-built casework systems.
The Department experienced 49 total data breaches between 2021 and August 2025 at the Afghan applications unit, with seven meeting the reporting threshold to the Information Commissioner's Office, yet failed to implement sufficient preventative controls despite previous autumn 2021 breaches.
The Department concealed the breach via a super-injunction from September 2023 to July 2025, deliberately declining to inform the Public Accounts Committee Chair or Comptroller and Auditor General in confidence, severely impairing parliamentary and audit scrutiny of £850 million in public spending.
The Department did not separately account for Afghanistan Response Route costs, claiming the super-injunction prevented separate identification, yet later acknowledged it could have done so; cost estimates lack NAO confidence and exclude £2.5 million in legal costs plus unquantified future compensation liabilities.
By June 2025, only 3,383 of an estimated 27,278 affected individuals had arrived in the UK; resettlement is expected to take several more years, with the Department unable to contact a 'handful' of highest-risk principals due to outdated contact details.

Recommendations

The Department should provide six-monthly updates to the Committee on Afghanistan Response Route resettlement progress through March 2026 and beyond.
The Department should confirm to the Committee that all Afghan resettlement schemes now operate through the Defence Afghan Casework System and provide assurance this prevents recurrence of the February 2022 breach.
The Department should detail its data protection policies, processes, guidance, staff training attendance, and changes made in response to previous breaches.
The Department and Treasury Officer of Accounts should establish a protocol with the Comptroller and Auditor General for handling future super-injunctions to ensure Parliament and auditors receive sufficient timely information.
The Treasury Officer of Accounts should issue new guidance to all Accounting Officers on their responsibilities in the event of super-injunctions.
The Department should explain in its Treasury Minute response how it is now separately capturing and accurately recording Afghanistan Response Route resettlement costs in its accounting systems.

Tone

Critical

Topics

data-protectiongovernment-accountabilitypublic-spendingafghan-resettlementparliamentary-scrutiny

Key actors

Ministry of Defence, Public Accounts Committee, Comptroller and Auditor General, National Audit Office, Information Commissioner's Office, Treasury Officer of Accounts, Home Office, High Court

Notable line

“The Department fell below the standards that the public and Parliament should expect in the handling of sensitive personal information.”

Key Quotes

“The Department fell below the standards that the public and Parliament should expect in the handling of sensitive personal information.”
— Public Accounts Committee · Summary assessment of the Department's conduct

“The Department could have informed the Chair of the Public Accounts Committee and the Comptroller and Auditor General (C&AG) in confidence, but decided not to.”
— Public Accounts Committee · Criticising the withholding of information during the super-injunction period

“… from an accounting officer perspective, the period in question had been "deeply uncomfortable".”
— Ministry of Defence Permanent Secretary · Reflecting on the decision not to inform the C&AG

“The Department has disclosed that it experienced 49 data breaches at the unit handling applications from Afghan citizens by August 2025, seven of which reached the threshold for reporting to the Information Commissioner's Office”
— Public Accounts Committee · Setting out the scale of ongoing data security failures

“This resulted in a lack of any parliamentary scrutiny over the use of public money and meant that the Committee and C&AG were unable to carry out their roles effectively on behalf of the taxpayer.”
— Public Accounts Committee · Explaining the impact of the super-injunction on oversight

“The Department estimates that the ARR scheme—the additional programme put in place as a direct result of the data breach—will cost around £850 million in total, with around £400 million spent by July”
— Public Accounts Committee · Detailing the financial scale of the response to the data breach

View original document →

Source · parliament.uk record ↗