MOD/Crown Copyright/2021The Ministry of Defence has admitted there have been 49 separate data breaches in the past four years at the unit handling relocation applications from Afghans seeking safety in the UK.
Four out of the 49 breaches were already publicly known - including the leak in 2022 of a spreadsheet containing details of almost 19,000 people fleeing the Taliban.
This mammoth data breach, which led to thousands of Afghans being secretly relocated to the UK, was only revealed last month after the High Court lifted a gagging order.
It was described by the UK's information watchdog as a "one-off occurrence following a failure to [follow] usual checks, rather than reflecting a wider culture of non-compliance".
However, lawyers representing Afghans affected by data breaches said the new figures, released to the BBC under the Freedom of Information Act, raised concerns about a culture of lax security among those working on the resettlement scheme.
The MoD has refused to provide any details of the nature of each breach but incidents which have previously been made public include officials inadvertently revealing the email addresses or other personal details of applicants to third parties.
Adnan Malik, Head of Data Protection at Barings Law which represents hundreds of Afghans affected by the biggest of the breaches in February 2022, said: "What began as an isolated incident, which the Ministry of Defence initially sought to keep from public view, has now escalated into a series of catastrophic failings.
"We urge the Ministry of Defence to be fully transparent with both those affected and the wider public. Victims should not be forced to learn the truth through legal action or news reports."
The Afghan Relocations and Assistance Policy (ARAP) was set up in April 2021 to help people who feared their lives were at risk because they had worked with British armed forces in Afghanistan and to resettle eligible applicants and their family members in the UK. It was closed in July this year.
The scheme has been dogged by revelations about poor data security, potentially putting the lives of Afghans who worked with British forces at risk.
In September 2021, BBC News revealed that more than 250 Afghans seeking relocation to the UK were mistakenly copied into an email from the Ministry of Defence, putting them at risk of reprisals.
A total of 265 email addresses were shared in this way across three separate incidents that month, which ultimately led to a £350,000 fine from the watchdog.
The breaches were "intensely difficult and embarrassing for the government handling publicly", one defence source said.
Ben Wallace, the then-defence secretary, expressed his personal anger at what had occurred, telling MPs: "I am very keen that it is not just the poor person who drafts the email who is held to account, but the chain upwards, to ensure that this does not happen again."
Two months after the incidents, in November 2021, the then Conservative government announced "significant remedial actions", including new data handling procedures and training as well as a new "two pairs of eyes rule" requiring any external email to an ARAP-eligible Afghan national be reviewed by a second member of staff before being sent.
The government said the measures were taken to "prevent such incidents occurring again".
Instead, data breaches continued including, in February 2022, a potentially catastrophic leak which saw a soldier at Regent's Park barracks send a spreadsheet with what they believed to be a small number of applicants' names to trusted Afghan contacts.
They did not realise that hidden data in the spreadsheet in fact contained the names, contact details and some information about family members and associates for nearly 19,000 people.
When the leak was discovered some 18 months later, in August 2023, the then-Conservative government sought a gagging order to prevent details of the error being made public. The government successfully argued that lives were at risk and the Taliban would be alerted if an injunction wasn't granted.
The super injunction which was imposed was not lifted until July this year.
Jon Baines, a senior data protection specialist at the law firm Mishcon de Reya, said the new figures uncovered by the BBC show a "remarkable number of data security incidents in relation to the ARAP scheme".
"It is difficult to think of any information more sensitive than that which is involved with the scheme, and it baffles me why there were not better security measures in place," he added.
PA MediaSeven of the 49 data breaches were sufficiently serious to require MoD officials to notify data watchdog the Information Commissioner's Office (ICO).
This includes three breaches - one in 2021, and two in 2022 - that have not been made public before.
The ICO said it was limited in the amount of information it still held on those breaches and why it didn't take further action but that its work with the MoD was "ongoing".
"We continue to engage with the MoD, so we can be assured that they have made the required improvements," a spokeswoman said.
The watchdog has not taken any action against the MoD over the large spreadsheet data breach which was previously subject to court-imposed reporting restrictions, arguing "there was little we could add in this case that would justify the further allocation of resource away from other priorities".
Jon Baines said there were "serious questions firstly as to whether the ICO should have conducted more in-depth investigations previously, and secondly, whether there is now an urgent need for more investigation.
"What assurance can we all have now that the MoD are properly protecting the highly sensitive personal data it is often entrusted with?", he added.
A Labour government source blamed previous Conservative administrations for inadequate data protection measures and said new software has been introduced and other changes made since Labour came to power last year.
"Current ministers repeatedly highlighted the Tory mismanagement of data around the ARAP scheme while in opposition," the source said.
"Since last July, we've brought in a host of new measures to improve data security and we've made public the largest Afghan data breach which occurred under the previous government, to allow for parliamentary scrutiny and accountability."
A Conservative Party spokesman said: "This data leak should never have happened and was an unacceptable breach of data protection protocols.
The secretary of state for defence has issued an apology on behalf of the government, and Conservatives joined in that apology.
"When this breach came to light, the immediate priority of the then-government was to protect persons in the dataset."
An MoD spokesperson said: "We take data security extremely seriously and are committed to ensuring that any incidents are dealt with properly, and that we follow our legal duties.
"All incidents that meet the threshold under UK data protection laws are referred to the Information Commissioner's Office, and any lesser incidents are examined internally to ensure lessons are learned."
If you have any information on stories you would like to share with the BBC Politics Investigations team, please get in touch at politicsinvestigations@bbc.co.uk
Sign up for our Politics Essential newsletter to keep up with the inner workings of Westminster and beyond.
15 PerFlyer
