How one of the gravest security lapses in history was kept secret
It was a lawsuit unlike any other. On August 25, 2023, just days before he resigned as UK defence secretary, Ben Wallace asked judges in London for an injunction to keep a historic national security debacle secret.
The Ministry of Defence had recently discovered that, 18 months earlier, a British soldier had mistakenly released a highly sensitive dataset identifying thousands of Afghans who had worked with the UK before the Taliban retook power. They were now at risk of reprisals.
Whitehall only learned about the leak after someone posted on Facebook extracts from the list, which featured details of about 25,000 people.
If the Taliban obtained the dataset, the consequences would be dire. Thousands of people in Afghanistan could face torture and death. Wallace wanted the High Court to intervene to conceal the “data incident”.
The judge who heard Wallace’s application, Mr Justice Knowles, granted the injunction after the MoD argued successfully that the threat to life justified it.
Knowles took the exceptional further step of issuing a “super-injunction”, not only preventing anyone from revealing that the data had been breached but making it unlawful to mention even that the restrictions themselves existed.
On several levels, the gagging order was without precedent. Its imposition was a genuine landmark in English legal history.
For a start, the super-injunction was the first to be obtained by the UK government. It has allowed ministers in Rishi Sunak’s Conservative government and then in Sir Keir Starmer’s Labour administration to take decisions concerning the safety of tens of thousands of people — and plan to spend as much as £7bn to relocate those affected — without public scrutiny.
It was also the first super-injunction to be issued “contra mundum” — against the world. The uniquely potent combination gave the MoD the power to stop anyone speaking of either the data breach or the existence of the restrictions.
Though the MoD initially sought only “time-limited” restrictions, it went on to make repeated extension requests under both the Conservative and Labour governments. The courts would acquiesce, keeping the super-injunction in place for almost two years, before it was finally lifted on Tuesday.
Throughout much of the period that the reporting blackout was in place, the UK government vacillated over its policy response to the data breach. Even in recent weeks — nearly two years on — the number of victims who should be allowed to seek sanctuary in Britain has been the subject of Whitehall review.
Last month, the government sharply changed direction. An internal policy review had concluded the danger was much less acute than previously assessed.
“Rather than being a defining factor in an individual being targeted, it is likely that public knowledge of the dataset would be simply another factor in exacerbating a person’s existing vulnerability,” the review concluded.
Was one of the most extensive court orders in English legal history based on a false premise?
Super-injunctions are known for more frivolous cases, deployed by celebrities to prevent tabloids from publishing stories about their personal lives. Past examples include the case of footballer John Terry in 2010 and broadcaster Andrew Marr in 2008, who later said he was “embarrassed” about obtaining it.
Such cases prompted critics to warn that court suppression orders were creating a secret justice system. Former prime minister David Cameron in 2011 said he was “uneasy” about such wide-ranging restrictions on freedom of speech. In May that year, Lord Neuberger, a senior judge, told his colleagues to issue them only in “the rarest cases”.
In his initial application to the court, Wallace said that while extracts of the dataset had appeared on Facebook — posted by an anonymous user who threatened to release the entire spreadsheet — disclosure so far had been “very limited”. The social media platform’s owner Meta had removed the messages after four days. However, wider publication of the breach “would create a real and immediate risk to the life and safety” of those identified, Wallace said.
Officials had assessed that the Taliban did not currently have the list. But they believed — for reasons the MoD has not disclosed — that if the Islamist movement knew the dataset had been released erroneously, it was “highly likely to succeed” in obtaining it.
The MoD told the court that keeping the incident secret would buy it time to “implement protective measures”. Nina Cope, a senior MoD official, estimated in a witness statement that it could take “in the region of four months” for “all reasonable mitigations” to be put in place.
Knowles accepted the MoD’s assessment, and ordered that a super-injunction be imposed until December 2023. In his September 2023 ruling, the judge acknowledged the restrictions were “exceptional”. He added that they were justified in the “particular and exceptional circumstances of the case”.
The super-injunction was initially served on two media groups — Daily Mail publisher Associated Newspapers, and Global Media, owner of The News Agents podcast. In the following months, journalists at five other outlets who learned of the breach were also subjected to the gag order, including, earlier this year, at the Financial Times.
The seven media groups have challenged the restrictions during protracted injunction proceedings. All the court hearings were heard in “private”, excluding the public and wider press, while some were “closed” — a tighter set of restrictions that, for reasons of national security, excluded the media organisations involved in the case.
A “special advocate”, Tom Forster KC, was appointed by the court to represent the interests of the media during closed hearings, but the defendants were not informed about what the advocate, a security-cleared barrister, argued on their behalf, nor what the judge heard from the government.
As a result, basic details about the data breach — including whether the soldier who committed the original blunder has faced any disciplinary action, and to whom they mistakenly sent the dataset — remain secret.
Mr Justice Chamberlain, to whom the case was transferred from Knowles, ruled in November 2023 in favour of maintaining the restrictions. Evidence he heard behind closed doors suggested there was a “real risk” that the Taliban would be able to obtain the list if it knew it had been mistakenly released.
“Many thousands whose details are included could be killed or injured and the UK government would have no realistic way of safeguarding them,” the judge said.
Even at this stage, though, Chamberlain made clear he had big reservations. “The grant of a super-injunction to the government is likely to give rise to the understandable suspicion that the court’s processes are being used for the purposes of censorship,” he said.
Gagging the media through the courts was just one step the government needed to take to keep the extraordinary episode under wraps.
One big risk of exposure was parliament. Previous super-injunctions have been rendered ineffective after MPs used parliamentary privilege to override the court restrictions.
They include the case of Trafigura, the commodity trading group, which obtained a super-injunction through law firm Carter-Ruck in 2009 to prevent The Guardian from disclosing a report about waste dumping.
Labour MP Paul Farrelly tabled a written parliamentary question the following month that revealed the existence of the super-injunction.
Several parliamentary questions about the Afghan Relocations and Assistance Policy (Arap), the resettlement scheme under which those on the compromised database had applied, had been scheduled for September 7, 2023.
To prevent the data breach potentially being revealed, government officials alerted Sir Lindsay Hoyle, Speaker of the House of Commons, who has the power to veto questions, and his counterpart in the Lords, John McFall, to the super-injunction.
“Ministers considered it appropriate to notify the Speakers” so they “could make informed decisions as to how matters should be handled”, said Deana Rouse, a senior MoD official, in a witness statement that October.
Sunak’s Conservative government kept the then-Labour opposition in the dark for months — even though in the UK the leadership of the main opposition party typically receives classified briefings on important national security matters, and despite civil servants recommending that selected Labour figures should be kept in the loop.
Grant Shapps, Wallace’s successor as defence secretary, told officials in November that the opposition should not be briefed. Parliament’s intelligence and security committee and the Commons defence select committee were also kept in the dark.
“I would not widen [the] circle by briefing others,” said Shapps, according to a civil service memo dated November 2023.
In an update about the super-injunction prepared for Shapps later that month, civil servants warned the defence secretary that the judge, Chamberlain, had expressed “serious concern” that the gagging order “has the effect of completely shutting down mechanisms of public and parliamentary accountability”.
“We ask whether, in light of the judge’s latest judgment, this [decision against informing the opposition] could be reconsidered,” they added, suggesting that Starmer, then leader of the opposition, and some shadow ministers be informed in confidence.
The MoD also decided against briefing the chair of an ongoing public inquiry into allegations of extrajudicial killings in Afghanistan by members of the UK special forces, accusations that — if proven — could further fuel the Taliban’s desire to exact revenge on Afghans who collaborated with the British.
“The democratic process remains in the deep freeze,” said Forster, the special advocate, in written submissions to the court on November 30. Ministers were able to “operate behind the cloak of the injunction and are wholly unaccountable. That they will, one day, have to account for their actions is nothing to the point. What is critical is that there is challenge to the system now.”
John Healey, then-shadow defence secretary, was finally briefed on December 12.
The next day, Healey asked Shapps in parliament about data breaches at the MoD. A minister responded the following week to say there were “two live ICO investigations into incidents within the Ministry of Defence. We do not provide further detail on live investigations.”
The secrecy endured throughout a general election campaign and after Labour took power in July 2024. In December — a year after he put the MoD data breach question to Shapps — Healey, the recently appointed defence secretary, made a statement of his own to parliament about Afghan relocations.
Ministers were “fixing the foundations of a complicated system”, he said, by “reforming our internal organisation” and “drawing together a single pipeline” for resettlements. Healey mentioned there would be more arrivals of “applications that were previously considered ineligible”.
The blandly worded written statement, which received little press coverage, made no reference to one of the main reasons it was being made — the data breach.
Natalie Moore, a senior official at the MoD, had told the court in October that a parliamentary statement was being prepared that would “help to provide cover for the numbers arriving” under a secret immigration scheme that had been set up for those on the compromised dataset, known as the Afghan Response Route (ARR).
Arrivals under the scheme had been slow. By October 2024, only 332 Afghans, who were priorities for resettlement, had arrived in the UK. Still, immigration statistics, released each quarter by the Home Office, did not reveal them. Arrivals under the secret ARR scheme were “not recorded” in the figures released in August and November 2024, said Dominic Wilson, a Cabinet Office official, in a witness statement last month.
The decision not to report them had been taken for “containment reasons” and the number of arrivals were “low” at the time the statistics were released, Wilson said.
The volume was expected to pick up, though. Despite the anticipated influx of thousands of additional immigrants, local councils — which play a central role in settling new arrivals to the UK in these circumstances — had not been told.
The purpose of the parliamentary statement was to update MPs on the “scale of the challenge on resettlement”, Wilson said in a witness statement in January. “It was also to enable engagement with local authorities to commence, as they are a vital delivery partner for Afghan resettlement.”
Councils “need to be publicly provided with reasonable planning assumptions around numbers”, Wilson said. But “at present there are no plans to inform local authorities about the data incident”, he added.
“The continued arrival in the UK of Afghan families could become a matter of public debate leading to questions about HMG’s [the government’s] relocation efforts that could be difficult to answer publicly,” Wilson said.
Jude Bunting KC, representing the media, argued in February that Healey’s parliamentary statement had been “misleading by omission”. It “does not explain why there will be greater numbers of relocations from Afghanistan”.
Cathryn McGahey KC, for the government, said parliament had not been misled. She told the court that the announcement enabled “the ARR [the secret immigration scheme] to be delivered without revealing the fact of the data incident”. She added: “It was made with the parliamentary authorities and opposition aware of the context.”
The impact of the data breach on already-strained UK public finances has also been kept from public view.
Officials presented differing cost projections depending on arrival numbers. Last October they estimated between £6.27bn and £7.23bn, based on a “total resettlement cohort” of 36,000.
The costs of ARR had been included in the MoD’s annual report but had not been specified, Wilson said in his January witness statement. It was “reported against the relevant expenditure which was incurred, for example workforce or purchase of goods and services”.
Officials also massaged the MoD’s annual report, which required disclosure of data incidents that had been reported to the Information Commissioner’s Office, as this one had.
The MoD had reached an understanding with the National Audit Office, the public spending watchdog, for a more “limited” description of the incident than usual to be included in the accounts, Wilson told the court.
But the published report, released last July, omitted even the agreed formulation. “Unfortunately, for reasons that are unclear to me . . . the report itself did not replicate the agreed approach,” Wilson said. The intention, he said, was “for this deficiency to be remedied in the next annual accounts”.
More recently, officials decided it was “no longer tenable” not to report the additional Afghan arrivals in the immigration statistics. ARR arrivals are now included “under the Arap subset”, Wilson said last month.
Another body that had to be kept in line was the ICO, which was preparing to fine the MoD for a smaller data breach in September 2021. In that incident officials sent three mass emails to Arap applicants using the “To” field instead of “Blind Carbon Copy”, exposing 265 email addresses to the whole distribution list. An ICO representative was issued with the super-injunction before making the other incident public in December 2023.
As the months wore on, Chamberlain became increasingly concerned that the super-injunction was threatening the safety of those it was supposed to protect. The government decided in early 2024 to relocate to the UK only a minority of the data breach victims. Ministers concluded that the total number of people affected — as many as 100,000 — was so large it would be impossible to move them all.
“The government has decided to help only a very small proportion of those whose lives have been endangered,” Chamberlain said in a ruling in February 2024. Yet the super-injunction meant victims could not be told even though they were stuck in Afghanistan, which may leave them “effectively unable” to take precautions.
Outside scrutiny might lead ministers to respond differently, the judge said. “The media and public would have the opportunity to put pressure on the government to increase the number of people to whom relocation would be offered,” Chamberlain said. He once again maintained the super-injunction, but called for the MoD to provide more evidence to support its case for the extraordinary restrictions.
In May last year, the judge decided the time had come to “grasp the nettle” and lift the super-injunction. By then, Chamberlain had concluded there was a “possibility” that the Taliban knew the data had been compromised.
Arap campaigners long disputed the MoD’s assertion that the Taliban did not have access to the database. One of them had told the MoD that “the number of arrests and abductions reported since August 2023 makes it likely” that it was being used to hunt people. An activist assisting Arap applicants also provided evidence to the MoD in September 2023 that an Afghan had received a threatening call from Taliban intelligence on a number they had only supplied in their Arap application.
In his May 2024 ruling, Chamberlain noted that by that point the breach had occurred almost two years earlier. Someone had already posted about it on Facebook on a group with 1,300 members, some of whom may well have been Taliban infiltrators. And UK government officials in Islamabad who learned of the breach soon after the Facebook posts had alerted about 1,800 applicants in Pakistan that some of their personal details had been compromised.
The rest of the victims “would be better off learning of the data breach from the UK government than a knock on the door from the Taliban”, Chamberlain said.
Even if the Taliban did not yet have access to the list, the judge said it was likely they would do so in coming months or years. The “enormous sums of public money” being committed in responding to the data compromise were “bound to attract attention”, he said.
This was the “sort of money which makes a material difference to government spending plans and is normally the stuff of political debate. There is a real question about the feasibility (let alone the desirability) of keeping the reasons for such expenditure secret.”
The ruling was appealed by the MoD, however, and Chamberlain’s decision was reversed by the Court of Appeal by Sir Geoffrey Vos, Lord Justice Singh and Lord Justice Warby sitting privately in July 2024.
Last October, the media organisations argued that the government’s position had “radically” evolved, from seeking a temporary injunction to wanting to, as the defence secretary said in a paper to cabinet colleagues the same month, “maintain control of the narrative” and implement a “robust public comms strategy”. This would involve setting out the “scale (but not the cause) of the challenge” posed by relocating Afghans en masse to the UK, an approach that amounted to “actively misleading the public”, the court heard.
Bunting told the court the following month that the government had “created, through its own data breach, an asserted risk to life for close to 100,000 people. The claimant now intends to manage that risk through a secret scheme, without any parliamentary or legal oversight in individual cases.
“The prospect for error, both legal and factual, in deciding who should and should not be offered assistance . . . is significant. Yet those people do not know that these decisions are being taken about them and have no means of challenging them.”
In May the court heard, via a parallel legal action, that more than 665 Afghan nationals — of whom over 150 were in Afghanistan — were preparing to sue the MoD over the data breach, suggesting knowledge of the episode was spreading in the country.
Until now, the class action effort has been impeded because Barings Law, the firm representing the Afghans, has also been subject to the super-injunction.
The pivotal turning point came last month. After arguing in court for almost two years that those on the list were in mortal danger, requiring thousands of Afghan nationals to be relocated in secret, the government told the judge a review it commissioned had concluded that the dangers were not in fact as grave as previously thought.
The review by Paul Rimmer, a retired deputy chief of defence intelligence, concluded that even if the Taliban acquired the dataset it would be “unlikely to substantially change an individual’s existing exposure”. This was partly because the Taliban already had extensive records available to it about western collaborators from other sources.
The government acknowledged that the extraordinary restrictions could no longer be justified.
In his judgment on Tuesday, Chamberlain said Rimmer’s conclusions “fundamentally undermine the evidential basis” for the courts’ earlier decisions to prolong the super-injunction.
“There is no tenable basis” to extend it further, the judge said, citing “serious interference” in freedom of the press and the “right of the public to receive the information they wish to impart”.
Even now, though, restrictions persist through a new, “contra mundum” interim injunction imposed for another week that prevents reporting the full severity of the data breach. Chamberlain said the latest restrictions were “much narrower than those sought by the MoD” and would “permit full reporting of almost all the relevant circumstances”.
One of the most restrictive court orders in English legal history is likely to have a lasting legacy.
Chamberlain on Tuesday said that the assessments in Rimmer’s report were “very different from those on which the super-injunction was sought and granted” — eroding the foundations that underpinned nearly two years of official secrecy.
“It will be for others to consider whether lessons can be learned from the way the initial assessments in this case were prepared and whether the courts were, or are generally, right to accord such weight to assessments of this kind.”
