It’s inconceivable that no one who got the email raised the alarm, writes former UK national armaments director
Which of us has not sent an embarrassing email to the wrong person? Those of us who have struggled with Excel know just how easy it is to clip and send the wrong part of the data set.
And yet, and yet … The MoD data breach is not like this, not at all.
For a start, unlike most organisations, the MoD runs two computer systems. One called Official/Sensitive, which is a bog-standard system, and one called Secret, which is very different. About 10% of MoD traffic is on Secret, and is much more restrictive in what you can do and who can see it.
Secret is used for communicating about current military action, security concerns, and almost anything to do with the special Forces. It isn’t on the MoD system used for holiday requests and parking spaces.
So how do the full details of nearly 19,000 Afghanis end up exposed, along with information on over 100 of the UK Special Forces and spies? It’s at the least very odd. If it had been on the Secret system, then our unfortunate sender couldn’t have emailed it to the outside world.
Then there is the MoD habit of copying everyone in. Apparently, there were a few people outside the ministry who were sent this workbook. But the MoD always covers itself by copying in at least half a dozen insiders.
So, it’s a real struggle to imagine that none of the outsiders said, “are you really asking for my opinion on 19,000 people? Do you mean that?” Why did none of the insiders copied into it say, “Hey, do you realise what you have done?” It’s inconceivable that no one who got the email noticed what was attached to it and raised the alarm. Are we really supposed to believe that for 18 months, nobody noticed this email?
More likely, someone did notice and then they tried to cover it up. It’s a rule of thumb in the MoD that if any serious security issue arises, you must solve it or escalate it within the day. Not 18 months.
Then there is the seriousness of the material itself. Those self-righteously beating their breasts about the importance of the superinjunction, imposed to prevent the data leak from being made public, might care to look at what Mr Justice Chamberlain had to say last week. He drew heavily for his decision to lift the injunction on a report written by Paul Rimmer, a retired civil servant who is the very acme of propriety.
It’s a rule of thumb in the MoD that if any serious security issue arises, you must solve it or escalate it within the day. Not 18 months
Rimmer says in his summary that “there is little evidence of intent by the Taliban to conduct a campaign of retribution against [certain individuals]”. What’s more, Rimmer points out that “all payroll, pensions, and service details for Military and Police employees were held by the [Afghan] Ministry of the Interior and Ministry of Defence and were handed over to the Taliban”. Beyond that, “biometric details of [all personnel] … were transferred to the Taliban in August 2021”. In other words, the Taliban knew who all these people were six months before the breach ever occurred.
It took Rimmer just over three months to complete his work, using sources that would have been available in 2023, and about a day for Chamberlain to agree that these facts fatally undermined the rationale for the injunction.
It’s a pity that back in 2023 neither Tory defence secretary Ben Wallace, nor Grant Shapps who succeeded him, took a moment to ask Rimmer, or another civil servant, to assess the importance of what had happened. If they had, by Christmas 2023 any injunction could have been dropped, and a great deal of expensive and contentious action might have been avoided. Since current Labour defence secretary John Healey was informed of the breach in December 2023, he could also have asked for such a report on entering office in July 2024, but he waited another six months to do so.
Both Rimmer and Chamberlain are, in the polite way of their clans, excoriating about the government’s actions. Rimmer points to, “the consequences for scrutiny and transparency, given the unprecedented legal action … and corresponding decisions around value for money.”
Chamberlain queries how much of what Rimmer has revealed is new, and whether the representations of the MoD to the court in 2023 were accurate or not. “It will be for others to consider what lessons can be learned from the way initial assessments in this case were prepared … and whether the courts were … right to accord such weight to assessments of this kind,” he wryly observes.
Panic seems to be the best word to describe the response to the apparent discovery, 18 months after the fact, of this leak. Mimicking headless chickens was the order of the day, rather than following the motto on so many government mugs, Keep Calm and Carry On.
In these difficult days of social tension and fiscal pressure, we need good governance to see us through. It’s pretty clear in this instance who represents clear thinking and cool decision making, and who doesn’t.
Bernard Gray was chief of defence materiel and UK national armaments director from 2011-2015
Photograph by Marco Di Lauro/Getty Images
Social links
Copyright © 2025 Tortoise Media
All Rights Reserved
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.