The Ministry of Defence (MoD) has suffered another major data security lapse, this time exposing the personal information of thousands of Afghans, British troops, and even former Conservative ministers.
On Friday, officials notified around 3,700 individuals that their sensitive details—including full names, dates of birth, and passport numbers—had been compromised in a cyberattack.
This latest breach comes exactly a month after it was revealed that the MoD had been secretly flying thousands of Afghans to Britain, following an earlier blunder in which up to 100,000 Afghans were reportedly left “at risk of death” after their details were exposed to the Taliban. The new leak affects many of the same individuals and is the third major Afghan-related MoD data breach since 2021.
Rafi Hottak, a former interpreter for UK special forces who was severely injured in Afghanistan, condemned the repeated failures:
“How can this be the third time that one of the most vulnerable groups has been put at risk? The MoD has completely mishandled the data of Afghan allies, again failing to protect those who stood shoulder to shoulder with them.”
The compromised records also reportedly include information about ex-Conservative ministers, raising the profile of the breach even further. Due to the sensitivity of the matter, both the National Crime Agency and the National Cyber Security Centre are investigating.
The incident stems from a cyberattack on Inflite The Jet Centre, a private contractor that manages ground operations for flights into Stansted Airport. The firm also provides services to the Cabinet Office. Between January and March 2024, it facilitated flights carrying Afghans who had supported British forces, as well as MoD personnel traveling for military exercises and official duties.
While the MoD confirmed that around 100 UK service members were also affected, the majority of those impacted were Afghans relocated to Britain for their safety. At present, investigators say there is no evidence that the stolen data has been leaked online or sold on the dark web.
The MoD urged all affected individuals to “remain vigilant” and watch out for unusual activity or suspicious communication.
Professor Sara de Jong of the Sulha Alliance, a group advocating for Afghan interpreters and support staff, called the repeated leaks “extraordinary” and said they would further erode trust between Afghan allies and British institutions:
“Those who risked their lives alongside British troops thought they could rely on protection. Instead, they are facing repeated breaches and inconsistent guidance from the MoD.”
Inflite The Jet Centre acknowledged the incident, confirming that a limited number of company email accounts were accessed without authorization. The company has reported the matter to the Information Commissioner’s Office and said it is cooperating fully with UK cyber authorities. It emphasized that the breach was restricted to emails, but has nonetheless alerted stakeholders whose data may have been exposed.
The government attempted to downplay the situation, saying there was “no threat to individuals’ safety” and “no compromise of government systems.” A spokesperson stressed that officials are taking “all possible measures” and informing those potentially impacted.
This breach also follows revelations about a super-injunction imposed in 2023, after a soldier mistakenly sent out a list of Afghans seeking relocation to the UK. That unprecedented gag order—aimed at preventing the media from reporting on the exposure—remained in place for almost two years. According to documents obtained through a Freedom of Information request, the legal battle over that injunction ultimately cost taxpayers £2.5 million.
