After Western forces left Afghanistan, many Afghans left behind applied for asylum. Photo / Wakil Koshar, AFP
Britain has secretly offered asylum to nearly 24,000 Afghan soldiers and their families caught up in the most serious data breach in history, it can be revealed.
The leak, which can be reported after a super-injunction was lifted, led the Government to earmark £7 billion ($15.7b) to relocate Afghan refugees to the UK over five years, piling pressure on the Chancellor’s already stretched budget.
It was the longest ever super-injunction, the first deployed “contra mundum” – against the world – and the first deployed by the Government.
The revelation is set to overshadow Chancellor Rachel Reeves’ Mansion House speech on Tuesday night, at a time when she is already considering raising taxes in the northern autumn to balance the books.
It can now be revealed that the huge cost to the taxpayer of resettling the Afghans was secretly factored into the Government’s budget, partly accounting for the £22b fiscal black hole the Chancellor announced on coming into office.
The breach occurred in February 2022, when a Royal Marine sent an email to a group of Afghans and accidentally included a spreadsheet containing 33,000 rows of information and the identities of 25,000 Afghans who were applying for asylum: soldiers – and their family members – who had worked with the British Army.
The “bone-chilling” leak was later described as a “kill list” for the Taliban.
It came to light a year later when an anonymous Facebook user posted extracts of the data. The posts were deleted within three days after officials from the Ministry of Defence (MoD) contacted Meta, Facebook’s owner, but the Government decided it had no choice but to offer asylum to the Afghans affected because they were at risk of reprisal attacks from the Taliban.
A number of former Afghan special forces personnel have been murdered by the Taliban since it regained power in Afghanistan in 2021. What followed was the biggest covert evacuation operation in peacetime, codenamed Operation Rubific.
Some of those who will now come to Britain had asylum applications rejected previously, including for violent or sexual assaults, with officials forced into a reversal.
The number of people expected to be brought to the UK as a result of the breach was initially stated in court documents to be nearly 43,000 people.
However, John Healey, the Defence Secretary, told Parliament on Tuesday that 6900 Afghans would be brought to Britain as a direct result of the breach, under a scheme set up specifically to deal with the fallout.
According to the MoD, of these, 4500 are already in the country or are in transit, and 2400 more are yet to travel.
Officials said a further 17,000 Afghans deemed eligible to come to Britain under a separate relocation scheme were also found to have been affected by the breach. Of these, 14,000 are already in the country or are in transit and 3000 more are yet to travel.
In total, it is believed that between 80,000 and 100,000 people were affected by the data breach, the Court of Appeal has said.
The Government has started sending messages to Afghans on the “kill list” and who were never told, stating: “We sincerely apologise for this data incident and regret that on this occasion personal data was not [safeguarded] to the UK Government’s standard. We understand that this news may be concerning.”
It had fought a two-year legal battle to keep the leak a secret, including securing the super-injunction, which has meant journalists from the Telegraph and other media organisations faced jail if they reported on the data breach or even mentioned the existence of the legal battle.
The super-injunction was lifted at midday on Tuesday by the High Court. However, at the 11th hour a new interim injunction was issued, which blocked the publication of sensitive information about exactly what was in the database.
It is the most serious data breach in British history, dwarfing previous episodes such as the 2013 Snowden leaks detailing GCHQ’s secret surveillance methods used against millions of internet users.
The database also included the details of British government officials, The Telegraph understands.
Both the Speakers of the House of Commons and the House of Lords were informed of the leak in September 2023 “so that they could make informed decisions as to how matters should be handled in Parliament”.
MPs have been unable to ask questions about the leak because of the super-injunction. A deliberate choice was also made not to tell the intelligence and security committee, the parliamentary body that is routinely given access to highly classified material to scrutinise decisions.
After Britain joined the US-led coalition that invaded Afghanistan in 2001, it trained, equipped and funded military units formed of Afghan volunteers who took part in joint operations to disrupt the country’s drug trade by capturing and, where necessary, killing key Taliban figures.
The two UK-trained and funded Afghan units – ATF444 and CF333 – that worked alongside the SAS and Special Boat Service in some of those secret operations were nicknamed the Triples.
By the time of the British withdrawal from Kabul in August 2021, CF333 “was the last formed unit of Afghan soldiers” still loyal to the deposed Western-backed Government, according to the Royal United Services Institute defence think tank.
Former members of the Triples are among those likely to have been identified in the leaked database.
The personnel identified in the data breach are now mostly believed to be safe, according to internal MoD assessments. However, there have been several reports of Taliban hitmen murdering Afghans they view as Western collaborators, with their families. These include former members of the Triples.
One murdered Triple member, Riaz Ahmedzai, was gunned down in Jalalabad in April 2023, although it is not known whether he was in the leaked spreadsheet.
The Royal Marine responsible for the data breach is understood to have accidentally shared the spreadsheet twice in February 2022.
The spreadsheet included the names, contact details and personal information of Afghans applying to the Government’s Afghan Relocation and Assistance Policy (Arap), which aimed to resettle Afghans who worked with the British and were, with their families, at risk of Taliban reprisals. It also included information about Afghans who applied to a similar programme called the Afghan Citizens Resettlement Scheme (ACRS).
Sources told the Telegraph that the Royal Marine – who has not been identified – had been instructed to check with trusted Afghans that others applying to Arap had genuinely been part of units that fought alongside British forces.
He is understood to have shared it with a handful of Afghans already brought to the UK, who passed it on to fellow Afghans in Afghanistan.
It is not known if the Marine, who worked under General Sir Gwyn Jenkins, the newly appointed First Sea Lord who led UK Special Forces in Afghanistan, has faced any sanction for the leak.
The MoD only became aware of the leak when, in August 2023, a member of the public wrote to Luke Pollard, the Labour MP for Plymouth, and James Heappey, a Conservative who was at the time a defence minister, warning them that the spreadsheet had been shared widely online.
“I have a copy of it, so does the Taliban – why doesn’t the Arap team?” wrote the person, whose name was redacted in court documents, in the email dated August 10, 2023. They are understood to be a support worker for Afghans settling in the UK.
Extracts from the spreadsheet were posted on Facebook four days later.
The Foreign Office and intelligence agencies including MI6 and the CIA were all involved in trying to work out how the sensitive file had been obtained.
At one point it was considered possible that a Taliban, Russian or Iranian spy had hacked into MoD computer files. The MoD, with the help of GCHQ, managed to trace the leak back to the “anonymous user” 18 months previously.
The group the data was posted to had 1300 members, some of whom may have been Taliban infiltrators.
The user who posted the extracts is understood to have been an Afghan who was sent the database, and whose own asylum claim was later rejected. In his post on Facebook, he threatened to “disclose” the full list.
“I have received one database from ARAP it has [thousands] of records,” the user told the group: “I want to disclose it. What is your opinion?”
Officials scrambled into action. Meta was contacted and the posts removed three days later.
A decision was made by government officials in Islamabad who were told about the Facebook post to send a message to about 1800 people who had applied to Arap and were waiting in Pakistan, warning them of a “potential data breach of your contact information”.
The message said: “To protect you, do not respond to emails or WhatsApp/text messages from people stating they are from UK Government departments.”
Some of those affected told the British Council they had been contacted by Iranian phone numbers on WhatsApp asking them to disclose scans of their passports.
However, Whitehall officials chose not to inform any individuals waiting in Afghanistan or elsewhere about the breach, because it was felt it would increase the risk of the Taliban getting hold of it. Spies, meanwhile, sought to delete any trace of the list from servers overseas.
The Metropolitan Police was informed in August 2023, but it was decided a criminal investigation was not necessary.
By August 2023, journalists had become aware of the leak, prompting the MoD to apply for an emergency super-injunction to prevent any reporting on it.
Dozens of court hearings have since taken place, including a referral to the Court of Appeal when Justice Chamberlain, a High Court judge, made an initial attempt to lift the super-injunction last year.
It is understood that individuals in the UK and Pakistan are still in possession of the database, and in at least one case it has changed hands for a large sum of money, understood to be five figures.
The huge cost of the resettlement of Afghan refugees is an additional headache for the Chancellor.
Economists have warned that the £9.9b ($22.2b) headroom Reeves has to balance the books has already been wiped out, and tax rises seem inevitable.
It can now be revealed that in October last year Reeves signed off a secret plan, which had begun under the Conservatives, to spend up to £7b ($15.7) over five years on resettling those affected by the data breach.
Also at the meeting of the Cabinet’s home and economic affairs sub-committee on October 7 were Pat McFadden, the Chancellor of the Duchy of Lancaster; Angela Rayner, the Deputy Prime Minister; John Healey, the Defence Secretary; Yvette Cooper, the Home Secretary; and Shabana Mahmood, the Justice Secretary.
In January 2025, Healey commissioned the retired civil servant Paul Rimmer, a former deputy chief of defence intelligence, to review the situation in Afghanistan.
He concluded that the threat level had diminished, leading to the shutting down of all the resettlement schemes. That decision is expected to save around £1.2. ($2.7b).
The estimated cost to the taxpayer of resettling Afghans – now believed to be between £5.5b ($12.3b) and £6b ($13.5b) – has come from the Treasury reserve.
The fall in expected costs will not help Reeves’ budget woes, however. While a maximum of £7b ($15.7b) was earmarked for the scheme, the current estimated £5.5b ($12.3b) cost was factored into the spending review across the Home Office, Foreign Office, housing and defence budgets.
Roughly half of the £5.5b ($12.3b) has already been spent, with the rest spread out over the next five years.
The cost of resettling Afghans could also still grow in the coming years, depending on how long families stay in hotels and how large their families are, which could pile further pressure on Reeves as she struggles to balance the books. Any overspends will need to be approved by Parliament.
It is understood that as part of this, the direct cost of the leak to date has been £400m ($900.3m) and that £850m ($1.9b) has been set aside in total to complete the resettlement of Afghans affected by the data breach. It is not believed that this includes any potential compensation costs.
This month, after a separate data breach connected to Afghans applying for asylum, the MoD agreed to pay £1.6m ($3.6m) to the 265 people affected. The Government was also fined £350,000 ($787,815).
A law firm, Barings, has about 1000 Afghan ex-soldiers signed up to a mass data breach claim against the MoD in relation to the new leak. That number is likely to increase. Lawyers believe each individual could receive about £50,000 ($112,545) in compensation.
The Government is also grappling with a voter backlash over the cost of housing asylum seekers, which has risen to £4m ($9m) a day.
It emerged in May that the estimated cost of hotels and other accommodation for asylum seekers had risen from £4.5b ($10.1b) between 2019 and 2029 to £15.3b ($34.4b). It is not known whether any of the rise in cost can be partly explained by the data breach.
Labour insiders believe the spiralling asylum bill is fuelling support for Reform UK, while PM Sir Keir Starmer has pledged to end the use of hotels to house asylum seekers by 2029.
As a result of the data breach, officials secured “1400 bed spaces” in hotels “in West Sussex” according to a ministerial briefing document seen by the Telegraph, and similar accommodation in Preston, Aberdeen and Cardiff.
Moving 650 Afghans into the Yorkshire and Humber area will cost £18m ($40.5m), or just under £27,700 ($60,774.30) per asylum seeker, by the end of 2025, the document also states.
When Western militaries pulled out of Afghanistan in August 2021, the Taliban regained control.
The Arap scheme was set up to bring to safety Afghans who worked for or with the British Government and were at risk from the regime.
A separate scheme called the Afghan Citizens Resettlement Scheme (ACRS) was also set up, for applications from Afghans considered especially vulnerable – such as women and girls – and others who assisted British efforts.
When the scheme was set up in 2022, the Conservative Government promised ACRS would resettle up to 20,000 people “over the coming years”.
The most recent MoD figures show that the total number of Afghans offered asylum, including those affected by the data breach, is 39,200. A further 16,900 are expected to come to the country.
When figures for the number of Afghans who had been resettled were previously released in August and November last year, those brought to the UK under the secret scheme for those affected by the data breach were not included.
Dominic Wilson, a Cabinet Office official, said in a witness statement that this was for “containment reasons”.
“He said the continued arrival in the UK of Afghan families could become a matter of public debate leading to questions about HMG’s [the Government’s] relocation efforts that could be difficult to answer publicly,” he said.
The cost of the scheme was included in the MoD’s annual reports, but it was not explained exactly what the money was used for. An agreement was reached with the National Audit Office, the public spending watchdog, that the description could be “limited”. In the end, what was included was even more limited than agreed.
It was announced on July 1, without notice, that the Arap scheme was closed to new applicants.
The Home Office said the Defence Secretary “now considers the Arap to have fulfilled its original purpose and can be closed to new principal applications, not least so that defence efforts and resources can be focused where they are most needed – on our nation’s security, to combat the acute threats and destabilising behaviour of our adversaries”.
A Home Office paper announcing the decision said Arap’s closure to new applications was the first step to completing Afghan resettlement, and the Government aims to have “successfully honoured its obligation” to complete resettlements by the end of this Parliament.
It is believed that the scheme was closed before the lifting of the super-injunction so that there could not be a rush of further applicants once news of the data breach became public.
A Home Office source insisted that they did not expect the closure of the scheme to lead to an increase in Afghans trying to reach the UK illegally.
They attributed this partly to the fact that a significant number of Afghans are already crossing the Channel in small boats. They were the most common nationality arriving in small boats in the year to March 2025 – 5800, 16% of small boat arrivals – although this was down from the peak of 9100 arrivals in 2022.
The situation for those Afghans who previously worked alongside the British military and still live in the region is deteriorating.
Pakistan, where a large number of Afghans fled when the Taliban re-asserted control over their home country, has been “steadily hardening its position towards Afghan refugees” since December last year, according to MoD court filings.
British diplomats have been trying to stop Afghans being “forcibly deported” from Pakistan back to Afghanistan.
Meanwhile, Iran has sent around 1.2 million Afghan refugees back to their home country, according to United Nations figures released at the end of June, following a pledge in March to deport two million in total. The MoD said that at least two ex-Triples are known to be among that number.
The scheme set up as a result of the leak – the Afghanistan Response Route – was also closed on Tuesday.