Article Details

Legacy systems blamed as ministers promise no repeat of Afghan breach. UK government grilled over progress made to prevent a second life-threatening leak. Legacy IT issues are hampering key technical measures designed to prevent highly sensitive data leaks, UK government officials say. On Tuesday, Parliament's Science, Innovation and Technology Committee grilled senior ministers on the progress made to prevent a repeat of the incident involving the Ministry of Defence (MoD) accidentally exposing data that put Afghan informants' lives at risk. The hearing was scheduled to discuss the government's response following its Information Security Review, which, among other things, recommended that it implement the technical means to share information directly from the source, and not via email. Considered one of the most sensitive leaks of data in recent British history, the MoD twice exposed the details of Afghans who assisted British forces during the Taliban conflict. Around 19,000 applicants for the UK's resettlement scheme had their details compromised via the classic CC-not-BCC email blunder. Among the 14 data security recommendations in the review - compiled in 2023 but not published until August 2025 - was developing methods for cross-government information sharing that don't rely on email. The aim was to eliminate human error causing accidental data leaks, a pain point the Information Commissioner's Office previously highlighted and was trying to fix through cultural change. Ian Murray, minister for digital government and data, said "cultural change happens through practice," and the idea of technical solutions blocking civil servants from attaching documents to emails is one of the ways to enact this. Asked whether it is being rolled out across government, Murray confirmed it would be "where appropriate," but Aimee Smith, the government's chief data officer, warned of the challenges. "Where you have departments operating on various different legacy systems, emailing an attachment internally may actually be the only way that you can take information from one system to another," she said. "That's the complicated nature of what we're looking at across all of the departments and the arm's-length bodies. So, in principle, we would be setting out how we want people to operate, but there's going to need to be some considered support and focus and investment for departments to get there." Smith also said "there is more than enough capability" across government departments, regardless of whether they run Google Workspace or Microsoft 365, to share documents without releasing them. It is easier for government departments to share documents in this way internally than it is to give them to external recipients, such as arm's-length bodies, which may run different legacy kit. "We have got standards about the kind of email - what you can and can't email - that are put out to departments, and how they should be configuring their system," Smith said.  Cross-departmental sharing with external recipients poses greater difficulties due to differing legacy IT systems, she said. However, the necessary tools exist, and recent year-end guidance has been issued asking departments to comply. A pretty spat The meeting did not start well for the ministers in attendance. Committee member Kit Malthouse admonished an apologetic Dan Jarvis, the UK's security minister, for not arriving prepared to discuss an earlier topic of rising phone thefts in London, despite the committee's requests. Soon after, Murray was questioned about his previous comments relating to government data security, in his words, being "pretty good." The committee was not happy with the wording and sought assurances about what this meant. Murray said he reserved stronger wording "because you could never say with great certainty that you could secure every bit of data," since human error invariably is a factor that can't always be accounted for. He said, given the volume of data involved - billions of transactions per day - the vast majority is processed securely, but acknowledged the seriousness of such cases that aren't, however rare they might be. Committee chair Dame Chi Onwurah questioned whether the government is holding itself to a high enough standard, especially against the backdrop of an incoming digital ID program and sprawling eVisa system issues. "It's important that any data breach is a huge issue, and government has to get it right all the time, particularly if we're rolling out digital ID, which is going to be the basis of government services and delivery," she said. "Government has to get it right all the time." Jarvis jumped to the government's defense, saying: "That's where we want to get, but I think the point that Minister Murray was making entirely reasonably is that there is human error, which accounts for some of these losses and incidents. "And whilst you can put in all of the processes that you like and you can have the right culture and the right leadership, there will be mistakes that will be made. What we have to do is to minimize the risk of people making those mistakes, and where mistakes have been made, we have to ensure that we've got the right procedures to sweep up after them. "But please don't take away anything other than our absolute determination to achieve the best outcome. That's what we're all working to achieve." Show us the data The committee further probed for information about any assessments made of government systems, and asked if the relevant data could be publicized. Among the details sought by the committee were specific Red-Amber-Green (RAG) ratings of each government system relating to data security. Murray said he wouldn't object to sharing details about the overall percentage of legacy systems across government privately with the committee, but must confer with colleagues before committing to anything. Vincent Devine, head of UK government security, said an "assurance exercise" was carried out in October 2025, which found a 90 percent compliance rate with data security standards across government departments. There are plans to include this data in future annual reviews, but he couldn't say how much would be reported this year. Devine noted that departments receive annual RAG ratings on various security measures, with an overall organizational rating also assigned. However, this data remains confidential to avoid providing intelligence to potential attackers. Dame Chi emphasized the committee would welcome access to any available data, noting that such measurable metrics are essential for tracking departmental progress. The committee chair also led calls in August, following the security review's publication, for more transparency around progress the government was making toward meeting the report's 14 recommendations. She said at the time: "The government still has questions to answer about the review. Why have only 12 of the 14 recommendations been implemented? And why has it kept the very existence of this review a secret for so long, even after the 2022 Afghan Breach became public? "I have asked Minister Pat McFadden and Information Commissioner John Edwards to appear before my committee to explain the circumstances around this review and how far its recommendations have been implemented. Proper scrutiny on this is desperately needed, and it's crucial we have a better understanding of how the government plans to stop these dangerous data breaches." Murray said that 13.5 of the 14 recommendations have been implemented. "13.5, I would say, if not all 14 on the basis that there are still some technical meetings to take place with regard to the governance structures, but, in the sense of those recommendations, all of them have been implemented, and actually we've gone further in some areas."