The Ministry of Defence has confirmed a new contractor-linked incident that may have exposed personal information for up to 3,700 Afghan nationals relocated to the UK under the Afghan Relocations and Assistance Policy between January and March 2024. The MoD data breach centres on a cybersecurity lapse at Inflite – The Jet Centre, a subcontractor at London Stansted Airport that provides ground handling for MoD flights carrying Afghan nationals, British troops, and government officials, as well as routine military movements. Officials say exposed fields are understood to include names and passport details. Those believed to be affected were notified by the government on Friday.
The episode follows an earlier revelation that more than 19,000 Afghans had their details disclosed in a separate Afghan data breach two years ago. Unlike that incident, the current exposure did not originate inside the Ministry of Defence. Government statements attribute the problem to third-party security at the subcontractor level. Reports also suggest several former Conservative ministers may be among those impacted by the MoD data breach, though the government has not provided names.
In public remarks carried by the BBC, former UK national security adviser Sir Mark Lyall Grant called both episodes damaging to confidence in official processes.
“Deeply embarrassing,” he said of the pair of breaches, adding that checks for relocation remain necessary but that it is up to the government to “honour the commitment they made.”
“We do need to move faster to protect people who genuinely are at risk of being victimised and persecuted by the Taliban if they go back.”
Parliamentarians from across the aisle described the security breach as serious. Conservative MP and former chancellor Kwasi Kwarteng said the disclosures were “very serious” and “really concerning” for individuals facing potential deportation to Afghanistan. Liberal Democrat defence spokesperson Helen Maguire accused the government of “staggering incompetence and clearly inadequate security standards,” calling for an immediate investigation into the security failures around contractor oversight.
Inflite – The Jet Centre supports MoD operations at Stansted, including ARAP flights. According to officials, the exposed material relates to passengers who arrived during the first quarter of 2024. The nature of the data—names alongside passport details—raises heightened risk compared with routine contact information. While there has been no public statement that other identifiers or biometric data were involved, security specialists typically flag passport data as sensitive because it can be misused for impersonation, fraudulent travel documentation, or targeted social engineering. The government has not said whether any fraudulent use has been detected since the MoD data breach came to light.
The Ministry of Defence has begun contacting those who may be affected and has said the incident is under investigation. No attribution has been made and no technical details about initial access or persistence at the subcontractor have been released. Officials have not commented on whether additional vendors in the MoD supply chain are being reviewed in response, nor whether the government has mandated immediate changes to contractor security controls or data handling for ARAP movements.
The Afghan Relocations and Assistance Policy is designed to support Afghans who worked alongside the UK government and armed forces. Many beneficiaries remain concerned about exposure to reprisals. Public figures who commented on the MoD data breach framed the issue through that lens: data protection failures can translate into real-world risk for individuals and families now living in the UK, as well as for those still seeking relocation. Calls for accountability have focused on supply-chain security—how the Ministry of Defence vets and monitors subcontractors that handle passenger manifests, travel documentation, and ground operations data.
What is clear from official notices is the time frame, scale, and data types: up to 3,700 individuals arriving between January and March 2024, with information understood to include names and passport details. Those notifications began on Friday, and the government says it will provide guidance to anyone whose personal information was captured in the MoD data breach. There has been no confirmation of whether credit, banking, or contact details were part of the exposure, and no timeline has been given for the technical investigation to conclude.
For the Ministry of Defence, the incident renews scrutiny of contractor assurance at airports and other operational hubs. For Afghan nationals under ARAP, the immediate concern is what was exposed and how it could be used. For the wider public sector and its partners, the story underscores longstanding risks in third-party environments where operational data intersects with identity attributes. As inquiries proceed, attention will turn to whether security standards for subcontractors are tightened, whether legacy data handling practices are updated, and how quickly affected individuals receive confirmation and ongoing support.
The government has said it is continuing its review and will provide further updates as more facts are established. Until then, the MoD data breach remains a live matter of data protection, national security, and public trust.
