When journalists inquired about the data breach, they were slapped with a superinjunction. By court order, news outlets were prevented from disclosing any details about the error – or even the existence of the injunction itself.
At the time the email was sent, the government was scrambling to make good on a promise to give sanctuary to Afghans, including soldiers and interpreters, who had fought alongside British troops following the invasion in 2001 until the fall of Kabul to the Taliban in August 2021.
UK military personnel onboard a plane departing Kabul in late August 2021.Credit: MoD Crown Copyright via Getty Images
The tens of thousands of names on the database were of Afghans who had applied for asylum in the UK under the specially convened ARAP scheme. It also included information about Afghans who applied to a similar programme called the Afghan Citizens Resettlement Scheme (ACRS). Their very act of applying for asylum had put their lives in jeopardy.
For 18 months, the Ministry of Defence (MoD) appeared oblivious to the existence of the rogue email, with its spreadsheet sent in error. That all changed on August 14 2023, with an anonymous post on Facebook that would send the MoD into a spiral of panic.
The MoD only became aware of the leak when that month a member of the public wrote to Luke Pollard, the Labour MP for Plymouth, and James Heappey, a Conservative who was at the time a defence minister, warning them that the spreadsheet had been shared widely online.
“I have a copy of it, so does the Taliban – why doesn’t the ARAP team?” wrote the person, whose name was redacted in court documents, in the email dated August 10, 2023. They are understood to be a support worker for Afghans settling in the UK.
Then British home secretary Priti Patel, second form the left, talks Afghan refugees at Heathrow Airport in London in August 2021.Credit: AP
Extracts from the spreadsheet were then posted on Facebook four days later.
In a group used by 1300 Afghans needing to relocate, some of whom may have been Taliban infiltrators, the user – known only as “Anonymous Member” – wrote that he was in possession of the database containing records of 25,000 applicants on 33,000 rows of information, adding: “I want to disclose it.”
The user who posted the extracts is understood to have been an Afghan who was sent the database, and whose own asylum claim was later rejected.
To show the list was genuine, the Facebook user then posted the personal details of nine Afghans who had applied to the ARAP scheme. British diplomatic staff administering the scheme in Pakistan were alerted by another member of the Facebook group. Alarm bells began to ring.
British Defence Minister John Healey on Tuesday apologised for the leak.Credit: Getty Images
By the afternoon of August 14, the relocation team in Islamabad had circulated an email to some 1800 Afghans in Pakistan, warning them: “We have been informed there may have been a potential data breach of your contact information.”
Some of those affected told the British Council they had been contacted by Iranian phone numbers on WhatsApp asking them to disclose scans of their passports.
However, Whitehall officials chose not to inform any individuals waiting in Afghanistan or elsewhere about the breach, because it was felt it would increase the risk of the Taliban getting hold of it. Spies, meanwhile, sought to delete any trace of the list from servers overseas.
The posts were deleted within three days after officials from the MoD contacted Meta, Facebook’s owner.
Timeline of the ‘kill list’ and the superinjunction
February 2022: A Royal Marine accidentally sends an email containing the list of nearly 25,000 people who applied for the Afghan Relocations and Assistance Policy.
August 14 2023: A Facebook user posts an excerpt of the dataset disclosing the details of nine ARAP applicants. The Ministry of Defence is notified.
August 15: A civilian volunteer warns James Heappey, the armed forces minister, that the Taliban may now have a “kill list essentially provided to them by the UK government”.
August 17-25: Journalists contact the MoD and Foreign Office about the breach, but agree not to publish until those at risk are protected. Ben Wallace, the defence secretary, decides to apply for a court order blocking the news.
September 1: The MoD asks the High Court for an injunction for around four months. A High Court judge grants a superinjunction, saying the risk of the information falling into the Taliban’s hands justifies the highest level of secrecy.
November 16: A Cabinet sub-committee, the Domestic and Economic Affairs (DEA) committee, discusses the issue. Members at the time include Rishi Sunak and Jeremy Hunt. Meeting notes reveal plans to establish a compensation scheme at a cost between £120 million and £350 million.
November 23: Justice Martin Chamberlain gives a private judgment where he says granting a superinjunction “is likely to give rise to understandable suspicion that the court’s processes are being used for the purposes of censorship”.
December 19: The DEA committee says that a new route of settlement in the UK should be offered to about 200 at-risk people and their dependents. This is called the Afghanistan Response Route (ARR).
February 15 2024: Chamberlain extends the superinjunction. He adds in a second, private judgment: “What is clear is that the Government has decided to offer help to only a very small proportion of those whose lives have been endangered by the data incident and that the decisions in this regard are being taken without any opportunity for scrutiny through the media or in Parliament.”
May 21: Chamberlain rules that the superinjunction should be lifted. He says there is a “significant possibility” the Taliban knows about the dataset, but adds that it is “fundamentally objectionable” that decisions about thousands of people’s lives and billions of pounds of taxpayers’ money are being taken in secret.
June 25-26: The Court of Appeal rules that the superinjunction will remain in place. In a later written ruling, judges Sir Geoffrey Vos, Lord Justice Singh and Lord Justice Warby say that between 80,000 and 100,000 people could be at risk if the Taliban were to obtain the data.
July 4: Sir Keir Starmer is briefed about the data breach after taking office.
February 3 2025: A review says the ARR resettlement plan would mean relocating more Afghans than had been moved under ARAP, and would extend the schemes for another five years at a total cost to the taxpayer of around £6 billion.
July 4: John Healey, the Defence Secretary, concludes that the ARR should be closed after an internal review finds the breach is unlikely to have put individuals at greater risk. The review also said the Government may have “inadvertently added more value to the dataset” by seeking the superinjunction and implementing a bespoke resettlement scheme. Government lawyers tell the High Court that in light of the decision to close the Afghanistan Response Route, the superinjunction “should no longer continue”.
July 15: Chamberlain lifts the superinjunction.
The Metropolitan Police was informed in August 2023, but it was decided a criminal investigation was not necessary.
It is understood that individuals in the UK and Pakistan are still in possession of the database, and in at least one case it has changed hands for a large sum of money, understood to be five figures.
By 10am on August 15, an email was sent to Heappey – the armed forces minister at the time – with the alarming subject title: “ARAP families, imminent threat to life.“
The sender of the email – whose name has been redacted in court documents – explained that they were now aware of the data breach.
The headquarters of the UK’s Secret Intelligence Service, known as MI6, left, on the River Thames in London, Credit: Bloomberg
“The fact that the Taliban may be in possession of 33,000 ARAP applications, including the primary applicants’ phone numbers and all the case evidence, is simply bone-chilling,” claimed the email.
It is unclear what, if any, was Heappey’s response. Or indeed whether he saw the email.
By 8.09pm, a time when the MoD’s top brass would have gone home for the day, a senior official in charge of data governance circulated an official crisis alert to them, confirming the data breach.
But it wasn’t clear at that stage how the database had got into rogue hands. The question, an unnerving one for the government, was whether this could have been an illegal hack.
The intelligence services, including GCHQ and MI6, were briefed by the UK Foreign Office and asked to examine whether a hostile state could have been responsible. The CIA was also brought into the loop. Days later, officials realised the stark truth of the accidental leak.
From then on, the government went into crisis mode. David Williams, a freelance journalist who had previously worked on a campaign to resettle Afghan interpreters, was made aware of the breach. He contacted the MoD for comment, and other journalists soon got wind of it.
The government decided that any whiff of the spreadsheet could put lives in danger, and the MoD issued a so-called D-Notice requesting that newspapers refrain from reporting the breach. D-Notices are advisory only, and not legally binding.
Meanwhile, inside the UK government, ministers were in a race against time to get to Afghans identified on the spreadsheet before the Taliban could.
Then British prime minister David Cameron talks to British and US in south Afghanistan in July 2011.Credit: AP
Ben Wallace, the defence secretary at the time, who had announced in July his intention to resign, was incandescent. He had been concerned about data safety and could not believe that such a lackadaisical breach could have been allowed to occur.
A Cobra meeting – called when high-level decision need to be made in emergency situations – was convened in Whitehall in response.
On August 25, 2023, in one of his last acts as defence secretary, Wallace applied to the High Court for an injunction to prevent the leak becoming public.
A week later, on Sept 1 – by which time Grant Shapps had been installed as his successor – the High Court granted a superinjunction contra mundum – meaning “against the world” – that prevented anybody knowing about the leak and the existence of the injunction itself.
People gathered outside the international airport in Kabul on August 25, 2021. Credit: NewYork Times
It was the first time such a draconian injunction had been used by a UK government against the British press.
By now, the government was running two operations. One was to stop the story getting out, and the other was to get the Afghans out of their home country and to the safety of the UK.
Ministers launched Operation Rubific, which would aim to bring thousands of Afghan families most at risk to the UK, largely via Pakistan. In towns up and down the country, Afghans were quietly resettled and their numbers kept off the official books, after being flown into the UK on specially arranged flights.
Justice Robin Knowles, the High Court judge who granted the superinjunction, accepted his ruling would infringe “freedom of expression and of the press,” but insisted that “the impact is justified in the particular and exceptional circumstances of this case including the risk to life and of torture”.
Instead of being granted against a named individual or news organisation, the injunction banned anybody at all who learnt of the leak from talking about it.
With news reporting banned, Parliament was kept in the dark – although the speakers of both the Lords and Commons – were secretly told so they could decide how to handle any Parliamentary questions to ministers about it.
John Healey, then the shadow defence secretary, tabled just such a question on December 13, 2023. In that month, the information commissioner had fined the MoD £350,000 for leaking the details of more than 200 ARAP applicants. Healey asked if the watchdog was investigating any similar breaches.
A brief answer from Heappey said there were two “live investigations”, confirming the Labour member’s suspicions. The Telegraph understands that Heappey then met his Labour counterpart that month to reveal all to him.
Yet, Healey was also served with the superinjunction at the meeting – meaning he could not even tell Sir Keir Starmer, the leader of the opposition at the time, let alone the shadow chancellor. The intelligence and security committee and the Commons defence select committee were both kept in the dark.
“I would not widen [the] circle by briefing others,” said Shapps in a civil service memo dated November 2023. The chairman of the public inquiry into alleged extrajudicial killings of Afghans by members of the SAS was also kept in the dark.
Democratic accountability had seemingly been thwarted. Thanks to the court order, the MP could ask no further public questions about the leak, nor question ministers’ and officials’ handling of it in deciding to bring all the directly affected Afghans to the UK.
At the time, sources suggested, the MoD’s estimate of the total cost of bringing Afghans to Britain was in the region of £4 billion. It would rise to £7 billion, before being revised down to £6 billion, an extraordinary sum all the same.
By May last year, a Cabinet subcommittee chaired by the deputy prime minister – at the time, Oliver Dowden – had decided to allow 11,500 Afghans into Britain as a result of the leak, yet this had not been announced to Parliament nor subjected to any public scrutiny.
Loading
The money to do so was drawn from the Treasury’s reserve funds and not the MoD, Home Office or Department for Communities and Local Government’s budgets, The Telegraph understands.
At about the same time, Justice Martin Chamberlain, who had taken over the legal case, ruled the injunction ought to be lifted, prompting an immediate appeal by the MoD.
Court of Appeal judges agreed with the government and said the gag order had to remain in place.
Meanwhile, July’s general election saw a change of government. Initially, Labour kept things exactly as they were under their Tory predecessors, with MoD lawyers continuing to insist to the High Court that any public mention of the leak would be lethally disastrous.
Healey, by now the Defence Secretary, continued to toe the MoD line and stay silent on the breach.
The injunction would remain in place for another year after Labour took charge. Officials and politicians continued to maintain that any public knowledge of the breach would somehow inspire the Taliban to go and look for the spreadsheet.
Yet by January this year, retired civil servant Paul Rimmer – the former deputy head of Defence Intelligence – had been commissioned to review the risks.
By April, The Telegraph understands, ministers were aware that he was likely to find that if the data breach became public knowledge it would not substantially increase the risks to those mentioned in it.
In his review, Rimmer concluded that “early concern about the extent of the Taliban intent to target [certain individuals] has diminished”.
“There is little evidence of intent by the Taliban to conduct a campaign of retribution… Killings are undoubtedly still occurring, and human rights violations remain extensive, but it is extremely difficult to determine the causes of individual killings or detentions,” he found.
The system set up to fly in Afghans, without any public knowledge of the scheme as a result of the data breach, was now “disproportionate to the actual impact of the data loss were it to fall into the Taliban’s hands”.
By the time of the review, 16,156 individuals affected by the breach in 2022 had reached the safety of the UK. But it is only now that news organisations can tell that story.
An Afghan man now living in Britain is said to be the person who threatened to share the list. According to the Daily Mail, he is in the UK with at least seven relatives.
