ARAP/EGS Data breach claim

The leaked dataset included personal information of nearly 19,000 people who had previously worked with the UK armed forces in Afghanistan and had applied to be relocated to the UK with their families as part of the UK Government’s Afghan Relocations and Assistance Policy (ARAP) and/or the Afghanistan Locally Employed Staff Ex-Gratia (EGS) scheme. 
  
The unauthorised disclosure followed an error by an unnamed individual at the MOD in February 2022, but the data breach was only discovered in August 2023 when some of the details were posted on Facebook. The personal details included people’s names, contact details and, in some cases, family details.  
  
After becoming aware of the data breach, the MOD then successfully applied to the High Court for an injunction preventing any reporting of the data breach, citing the risks posed to those affected if the Taliban became aware of the information.

The Government then established the Afghanistan Response Route (ARR) in April 2024 for those who had not previously been found eligible for ARAP but were judged to be potentially at the highest risk of reprisals by the Taliban as a result of the data incident.

At the High Court on Tuesday 15 July 2025 the injunction was lifted by a judge after reviewing a report by a retired civil servant, commissioned by the MOD, that concluded that the Taliban “likely already possess the key information in the dataset” and that it was “unlikely that individuals would be targeted simply because of their work for the UK”.  However, the report also stated that “Given the available evidence and the widespread human rights violations, it is not possible to conclude decisively that those individuals affected by the data incident would not face any additional threat, if the dataset were acquired by the Taliban or more widely known publicly in Afghan communities.”

Furthermore, there are ongoing press reports that the Taliban continue to imprison, torture and kill those suspected of previously assisting international forces.

When addressing the House of Commons on 15 July 2025, following the lifting of the injunction, the Defence Secretary John Healey offered a “sincere apology on behalf of the British government” for the data breach.  

The MOD then confirmed that the data breach only affected those who applied under the ARAP or EGS schemes on or before 7 January 2022. Where their contact details were known, the MOD stated that they sent emails to those they considered likely to be affected on 15 July 2025 to the email addresses that they had previously provided.

The MOD also provided a link to a self-checker for those concerned that they may be affected, where they could enter their ARAP, EGS, or ATAE reference and receive an immediate response as to whether they had been potentially affected or not. For those not having these details, the MOD also provided a link to a contact form through which they could be contacted.

Unfortunately, this is just the latest in a long line of data breaches by the MOD of personal data of Afghan citizens who had previously worked with the UK armed forces.

Those affected are likely to have strong claims for substantial compensation against the Government for failing to keep the information secure and for the anxiety, fear and distress this has then caused.  

We are acting for those affected by the data breach on a so called “no win no fee” basis, which will ensure that they receive at least 70% of any compensation they are awarded if the claim is successful. Clients will not be required to make any up-front payment to us.

If you have been notified by the Ministry of Defence that your personal information may have been disclosed and wish us to investigate starting a claim, you can start the process today.

Similarly, if you have any queries or problems completing the sign-up process or would prefer to be taken through the sign-up process by telephone, please email us at ARAPdatabreach@leighday.co.uk or call on +44 (0) 20 7650 1308 and a member of our legal team will contact you to arrange a convenient time to speak with you.  

If you are not based in the UK, you can also contact us via WhatsApp if you prefer: +44 (0) 7787266196.

Our specialist data breach team challenge multi-million-pound corporations who have unlawfully shared their customers' information or failed to invest in adequate security measures, resulting in a data breach.   

Our work includes acting for individuals or groups in claims against the government, the police, GPs, hospital trusts, local authorities, the courts as well as private companies. 

We are already acting for Afghans who applied under the ARAP scheme for relocation to the UK and whose personal information was disclosed in a previous data breach in September 2021. 

We have also acted for Afghan interpreters whose UK entry visas were refused on national security grounds, and had those decisions overturned. 

Contact the team by telephone on  +44 (0) 20 7650 1308 or send an email to ARAPdatabreach@leighday.co.uk.  

If you are not based in the UK and would prefer to contact us by WhatsApp, please do so by contacting us on +44 (0) 7787266196.

Find out more about the news coverage related to this data breach

Thousands of Afghans were moved to UK in secret scheme after data breach - BBC 15.7.25

MoD could face ‘substantial’ compensation claims over data breach, lawyer says Independent -15.7.25

‘The worst day of all time’: Afghans speak of safety fears after UK data leak - Guardian 15.7.25

Payout offered to Afghans hit by UK data breaches - BBC 4.07.25

MoD fined £350k after disclosing personal details of 265 Afghan aides - Army Technology 13.12.23

Special forces blocked UK resettlement applications from elite Afghan troops - BBC 19.02.24 

Court allows review of UK visa rejections for ex-BBC journalists in Afghanistan - The Guardian 13.02.23

Revealed: Afghan journalists facing death threats and beatings, despite UK pledge to save them - The Guardian 28.05.22