ICO statement in response to 2022 MoD data breach
- Date 15 July 2025
- Type Statement
Latest update - 16 July 2025
16 July 2025 - We have updated this statement to provide clarification on our position at this time.
The ICO has been supporting and overseeing the Ministry of Defence’s (MoD) internal investigation into a data breach from 2022.
In August 2023, the MoD was made aware that an excerpt of a spreadsheet, related to applicants for its Afghan Relocations and Assistance Policy, was circulating online. The MoD reported the matter to the ICO within 72 hours, as required by law. The MoD immediately began an internal investigation into this matter, which determined that the spreadsheet, initially shared in 2022, and thought to contain data related to a small number of applicants, had contained hidden data related to more than 18,000 people.
The ICO's role is to consider the impact on people's data protection rights and what processes were in place to protect them. We have been carefully considering the circumstances of the breach throughout, supporting the MoD's own investigation.
Emily Keaney, Deputy Commissioner, said:
“This is a deeply regrettable incident that placed thousands of vulnerable people at risk. While we have been unable to comment on this matter publicly until now, I want to reassure the public that our expert team has been working behind the scenes to support and providing scrutiny to this internal investigation into what is a complex and sensitive situation.
“Data protection should never be a barrier to sharing information when this is needed to prevent harm and we accept that the initial sharing of the document was intentional and considered under the circumstances. However, there were mistakes made beyond this, with hidden data in the spreadsheet. We have been clear with the MoD that this incident is unacceptable and should never happen again – the stakes are simply too high. The public must be able to trust that the government has measures in place to protect the personal information and security of the most vulnerable people.
“We have supported the MoD with its internal investigation and carefully considered the specific circumstances under which the breach occurred, including the critical need to share data urgently in this situation. We’re reassured that the MoD’s investigation has resulted in taking necessary steps and minimised the risk of this happening again. We have also considered the proportionality of further action while the MoD rightly take steps to protect those most affected. We are satisfied that no further regulatory action is required at this time in this case. We are keeping this under review and may choose to revisit this decision at any time if new information comes to light.”