Διαφάνεια

Data breach factsheet

Save the document

Table of Contents

Information Sheet: UK Government Afghan Data Breach

[Last updated: 28 July 2025]

This factsheet provides information about the recent data breach incident relating to the UK’s Afghan Protection Schemes. It is intended as a resource to help Afghan nationals and their family members in their understanding of these events, and does not constitute legal advice. Please note that the information provided within is drawn from the limited information as provided by the UK Government. Wherever possible we strongly encourage you to seek legal advice in respect of your individual circumstances.

What is the data breach?

On 15 July 2025 the UK government announced there had been a major data breach of personal data included in applications to the UK’s Afghan Resettlement and Assistance Policy (ARAP) and its forerunner, the Ex-Gratia Scheme (EGS). The UK government has stated that applications which were affected were those made on or before 7 January 2022. The breach involved disclosure of a spreadsheet containing personal details of 18,714 Principal applicants for the schemes. There are Dari & Pashto translations of the announcement here. 

The breach involved disclosure of a spreadsheet containing personal details of 18,714 applicants for the schemes which likely included: names, biographical information, contact details for applicants and family members, and (potentially) the reasons for which they were applying for relocation.

When did the data breach happen and why do we only know about it now? 

The spreadsheet containing the personal data was originally disclosed outside of the UK government in February 2022. The UK government became aware of the breach in August 2023 because on 14 August 2023, a section of the spreadsheet was shared in a Facebook group. 

As a result of the UK government becoming aware of the data breach, it took legal steps to prevent details of the breach becoming known on a more widespread basis and established a specific relocation pathway for individuals it considered to be at risk as a result. The Afghanistan Response Route (ARR) was opened in April 2024 and brought  a number of individuals and their family members to the UK. The existence and eligibility criteria for ARR were not publicly disclosed and it was by invitation only. Furthermore, the ARR was discontinued on 4 July 2025 and is no longer open.  The UK government has now confirmed that for an individual to be eligible for assistance under ARR, they must have been:

i. affected by the breach (i.e. their information  had been included in the spreadsheet)

ii. considered to be at the highest risk of targeting by the Taliban;

iii. located in a high risk country; and

iv. previously not received a grant of assistance under any of the existing routes (ARAP, ACRS, etc.)

The data breach and the ARR only became public knowledge on 15 July 2025. This is because in August 2023, journalists who were aware of the breach contacted the Ministry of Defence and agreed not to publish anything because of the seriousness of the risks that it posed to individuals on the list. Then, the Secretary of State for Defence applied to the High Court for an injunction to prevent the publication of information about this leak.

As a result of the application for an injunction, on 1 September 2023, the High Court issued a strict court order – known as a super-injunction which prevented anyone from sharing information about the breach, or even about the court order itself. This was the first time that a court order of this kind had been made and it was reviewed again by the High Court in November 2023, February 2024, May 2024, July 2024 and July 2025. The super-injunction was eventually lifted by the High Court on 15 July 2025. You can read the judgments relating to the injunction being made and lifted here.

How do I know if I am affected by the data breach?

You are only at risk of having been affected by the data breach if you submitted an ARAP or EGS application on or before 7 January 2022. If this applies to you, you can use the Data Incident Self-Checker to find out whether you (and any family or dependants cited in your application) are affected.

If you submitted multiple applications, you may have been given more than one reference number. The Government guidance explains that you will need to check every reference number you have been given.

If you have never applied for ARAP or EGS (for example, you applied only for ACRS or another scheme) your data also cannot be subject to this breach because it will not have been on the spreadsheet.

Additionally, you may have received a letter from the MOD which looks like this or this.

I have lost my documents/I don’t know my reference numbers – what can I do?

If you don’t know your ARAP, EGS, or ATAE reference (or not all of them) you can use this contact form to ask the Ministry of Defence to tell you. You should ensure that you give all of your names (especially if you can spell your name in multiple ways) and you may be asked to give more information if they cannot immediately locate your records.

You can also make a “Subject Access Request” (SAR). This is where you ask a government department to give you a copy of all the records that it holds about you. If you worked with the Ministry of Defence in Afghanistan, you can find the form to make a SAR here. Other government agencies may have a different process for SAR; if you have worked with other Government Departments (for example the Foreign, Commonwealth & Development Office (‘FCDO’)) we recommend you search in the individual webpages of the government agency you worked with for the specific SAR process.

I know I am impacted by the data breach, what can I do?

The UK government has published a guide in English, Dari and Pashto for people who have been affected. 

If your data was breached, we would suggest that what you can do is dependent on where you are now and what has happened with your application. 

We will give more information below on what to do if your ARAP/EGS application has not yet been completely finished or if you think the outcome should change because of the data breach.

I was relocated to the UK eg under ARAP/EGS or ARR and my data was breached.

If you were found eligible for relocation and your application is finished, the data breach will not affect your status in the UK. But you may still be eligible to make a claim for compensation. There are a number of law firms who may be able to advise you on whether you have a compensation claim. 

  • Wilsons Solicitors LLP: public@wilsonllp.co.uk
  • Leigh Day: ARAPdatabreach@leighday.co.uk
  • DPG: newcaseenquiries@dpglaw.co.uk
I have a pending ARAP/EGS application and my data was breached, how will this affect me?

If you or family members are outside of the UK and you are waiting for a decision on an application, you are likely to be feeling anxious about what the breach may mean for you and your family. 

The UK government has said that:

  • It believes that the risk to people whose personal data was included in the spreadsheet is no longer high. 
  • It does not believe that the Taliban will use the information to target anyone and that this is why the ARR closed.

But you may have reasons to believe that you or your family are likely to be targeted and you may wish to write to the Ministry Of Defence. To assess this risk you could ask them to confirm what personal data was included on the spreadsheet relating to you and your family. Where relevant you may also wish to explain the impact of the data breach on you and your application, with an explanation for why you are particularly at risk.

RLS is preparing a template letter for people in this situation to ask the MOD to urgently make a decision. We hope to share this letter soon.

My ARAP/EGS application or ARAP/EGS review has been refused, what can I do?

If your data was breached and you were found ineligible for both your application and following a Review, usually this would mean that your application is finished.

However, you should be entitled to request a further review if you have compelling new evidence that was not available at either the initial application, or when the review was undertaken. We would suggest that where your data being breached puts you at risk (or at higher risk) this should be considered compelling new evidence and you may want to submit a new Review request. You could include a statement to explain the risks the data breach has created, including detailed information about any new threats that you or your family members have received, any house searches, arrests or other harassment experienced. You can use the APBI ARAP self-help guide which includes a section on witness statements; (see page 32; Appendix 2). 

Please note, we cannot guarantee that your request for a further review will be accepted or if your application will be granted. This is because applications are always assessed on a case-by-case basis. 

You will need to complete the Review request form here or email: ARAP-Casework@mod.gov.uk.

RLS is also drafting a letter which you can use to request an urgent review if you are in this situation and you know that your data was part of the breach.  We hope to share this letter on our website soon.

One of my family member’s data was breached and now I think I am at risk. Can I still apply for ARAP?

The UK government closed the ARAP scheme for new applications on 1 July 2025. It is no longer possible to submit an ARAP application and there is no access to the online form. 

Please note, the closure of the ARAP scheme does not apply to people with existing applications. All existing applications and review requests will still be considered.

Also, if you did not previously apply for ARAP but your relative did and you were included as a family member, it may be possible to request an out-of-time review of any decision that you are not eligible for assistance under the scheme.

I was relocated under the ARAP/ARR scheme and have an Indefinite Leave to Remain (ILR)/ALES settlement. Some of my additional family members were found ineligible (elderly mother/father, adult brother/sister and their families); how can they apply to join me in the UK? 

If you included your family members on your original ARAP/EGS application and received a negative eligibility decision, you may be able to submit a review of the decision. Usually the review request must be submitted within 90 days but you may be able to argue that this requirement should be waived if you think that the risks they are facing have are because of or heightened as a result of the breach.

If you did not include your family members in your original application, their details would not normally have been included in the data breach. However, if you are concerned that they are now at risk because of the data breach, you may wish to contact ARAP-Casework@mod.gov.uk and request a form for additional family members. You should set out in detail why your family members are now at risk, and why they were not included in your original application. 

If neither of the above situations apply to you or your family members, there is no specific scheme to help your family join you in the UK. They may be eligible to make an immigration application directly to the Home Office to join you. Further details can be found here.

Are there any pathways left for Afghans to come to the UK?

On 1 July 2025 the ARAP scheme closed for new applicants and the ACRS schemes closed for new referrals. There are now no specific schemes available for Afghans to come to the UK.

I feel very stressed about my family members in Afghanistan, what can I do? 

The news about the data breach is very distressing. It is understandable to feel upset, confused, worried or stressed. Please seek mental health support if it would assist. You may find helpful support here (for those in the UK) or here (for those in Afghanistan or the region).