I understand the strength of feeling on this subject, and this question gives me the opportunity to set out where we are with the Afghan relocations and assistance policy and yesterday’s data breach. I would like to place it on record that I had offered a statement for when we return from conference recess, as the investigation I have ordered will be able to report fully by then, and I still expect to make those details available.
As you know, Mr Speaker, I have taken the obligation we have to the Afghan personnel who have supported us throughout extremely seriously. Despite this disappointing event, we should pay tribute to the armed forces for Operation Pitting and the that we have managed to evacuate 8,800 people and families eligible under the ARAP scheme since April, in addition to the 1,400 who had already been relocated prior to that date. However, worryingly for me, over the last few weeks lapses from the highest standards in the management of those people remaining in Afghanistan have been brought to my attention by both hon. Members of this House and others. For that reason Ministers raised concerns both last week and yesterday, and sought assurances that these problems would be rectified. Those assurances were given. However, it was brought to my attention at 2000 hours last night that there had been a significant data breach. To say I was angered by this is an understatement and I immediately directed an investigation to take place.
Initial findings show that an email was sent at 17.44 hours as part of the “weekly contact” we maintain with ARAP currently remaining in Afghanistan. This had been copied to all the 245 applicants, rather than blind copying them. The email was immediately recalled on identification of the breach and then a subsequent email was sent advising people to delete the email and change their addresses, which many of them have done.
So far, one individual has been suspended pending the outcome of the investigation and processes for data handling and correspondence processing have already been changed. I have directed that extensive steps are to be taken to quantify the potential increased risk to individuals in order to take further steps to protect them. The Information Commissioner has been notified and we will co-operate fully with any of its own enquiries.
I apologise to those Afghans affected by this data breach, and we are now working with them to provide security advice. As I speak, the Minister for the Armed Forces is in the region speaking to neighbouring countries to see what more we can do with both third country and in-country applicants. This is an unacceptable level of service that has let down the thousands of members of the armed forces and veterans, and on behalf of the Ministry of Defence I apologise.
I offer the reassurance that the scheme will continue to operate and bring people back to the United Kingdom for however many are eligible and however long it takes.
Thank you for granting this urgent question, Mr Speaker.
There is rightly cross-party concern about this very grave security breach, with names, email addresses and in some cases photographs of 250 Afghan ARAP applicants, all still in Afghanistan and in danger, shared in a mass mailing. This needlessly puts their lives at risk.
I welcome the Defence Secretary’s presence here this morning and welcome his apology, inquiry and commitment to a statement when the House returns after its short recess, but it is not the apology but the action which matters most now. These Afghan interpreters worked alongside our British forces and the Government rightly pledged to protect them. Ministers must make good on those promises now, so can the Defence Secretary answer the following questions: when will he complete that assessment of the increased risk these individuals now face as a result of the data breach; what action is he taking urgently to evacuate them and their families; and why on earth is the MOD mass emailing people who face life-or-death situations?
I know from ARAP evacuees in my constituency who have separated family members still in hiding in Afghanistan that their social media has been blocked. Is there any evidence of email surveillance or interference from the Taliban? How will the MOD remain in contact with these people if they follow the advice to change their email addresses?
Yesterday, Ministers confirmed that 7,900 applications have been made to the ARAP scheme, with 900 so far approved since the end of August. Have there been any data breaches linked to other ARAP applicants?
This is the third known serious defence data breach in as many months. Each time, we have the same response: public apology, internal inquiry, then silence—no report on the inquiry results, no confirmation of action taken to tighten up the system. The Secretary of State rightly started by paying tribute to all involved in Operation Pitting. Our forces were totally professional in that extraordinary evacuation from Kabul, but they must be asking now: how can we trust our back-up at the MOD?
The right hon. Member makes some points that I would say are deservedly landed, and I hear what he says. First, yes, we mass email individuals, but we also email individually. This was a weekly catch-up email that was sent to over 250 people to make sure that they were kept in touch, because, quite rightly, as many Members have pointed out on a number of occasions, they need to be engaged and know that there is someone out there keeping it going and trying to get them through the country.
This was a mass email. It did not contain individuals’ home addresses or anything. The photo profiles that the right hon. Member mentioned were ones that were in profiles of the email addresses as opposed to the individuals’ names. Indeed, having looked at all the email addresses, I can say that the vast majority were not specific names, necessarily; they were email addresses rather than particular names. However, that does not change the fundamental impact that the email could have had and could still have.
I have asked Defence Intelligence to go through all the cases and assess the risk to the individuals. That will be ongoing. I can of course get an update, and I will be happy to share with the right hon. Member where we are with those updates on intelligence. I can certainly also give a Privy Council briefing to both him and, indeed, the Scottish National party if it wishes, on the greater security situation on the ground in Afghanistan.
This group was not the wider cohort that the right hon. Member referred to—the people who have applied since ARAP. To put it in perspective, some 68,000 have applied for ARAP. Obviously, when that number is scrubbed and worked through, it reduces significantly, but that is the number of emails that have been sitting in email boxes and have been worked through—and are being worked through—to try to make sure that we find the right people with the right criteria and then, obviously, communicate with them.
This matter relates only to the number of people who had been called forward under Op Pitting, had been security checked and were ready to go but either never made it to the Baron hotel or never made it on to a flight. That number started at 311, as hon. Members will remember. Of the 311, there are 260 principals left in Afghanistan—that is 1,232 people if we include their families—43 principals, or 163 pax in total, in third countries, and eight with whom we have still not been able to establish communications despite trying numerous times. That is the cohort that this relates to. We will do everything we can.
As far as getting those people out of the country, as I said, the Minister for the Armed Forces is now in one of the neighbouring countries and will continue to do that. I have spoken to my defence sections and offered to increase resource and to give reassurances to those third countries. The MOD funds the flying of those people back to the United Kingdom. We have already done so, and I will be happy to update the House as we go about how many people come out of the country.
Some of the other challenges, obviously, relate to security, and we have to have that balance in bringing people back who sometimes turn out, eventually, to have the wrong record; we want to protect the British public from that. But fundamentally, that is the cohort of people that these emails relate to.
I welcome the statement. I hope that the necessary oversight protocols are now in place to make sure that this does not happen again. The Taliban have not changed. They seek to exact revenge on anyone who worked for NATO. We must get these interpreters out or they will be hunted and killed. If the usual methods, via the ARAP scheme, are not available, may I invite the Secretary of State to take advantage of the chaos in the country to find clandestine means of leading these people to safety?
I thank the Secretary of State for his apology. I do not doubt the sincerity of it, and I do not doubt for a second the anger that he will have felt when he got the news of this unacceptable and quite dangerous leak yesterday. However, I have a few questions to follow on from those asked by the shadow Secretary of State, John Healey, and the Chair of the Select Committee on Defence, Mr Ellwood.
Can the Secretary of State confirm whether the Taliban have the capability to monitor these people’s emails? I do not want to know if they are monitoring them—I suspect that he would not tell the House even if he did know—but do they have the capability to do so? How long will the investigation take? Who will carry out the investigation? Is the person who has been suspended an employee of the Ministry of Defence or of the Foreign, Commonwealth and Development Office?
Will the Secretary of State outline in a bit more detail, if he is able to, the additional resources that he intends to commit to ensure that people are not exposed to any more danger than they already are as a result of the leak? I understand entirely the point that he makes about using mass email as a communications method, but who signed off on that as an okay way to make that communication?
The shadow Secretary of State is right that when these breaches happen, we get these apologies and then there tends to be silence, so more broadly, what is being done to arrest this worrying trend of data leaks from the Secretary of State’s Department? Is he going to order a broader investigation? I think the House would welcome that.
I am grateful to the hon. Member for his series of questions. First, the investigation will be carried out by Admiral Sir Ben Key, the commander of joint operations at PJHQ—permanent joint headquarters—who also led the planning and the evacuation from Kabul.
On data leaks, the hon. Member is right that these are a concern. The previous leak obviously involved a senior official who deliberately broke the regulation, in so far as he took something out the Department. If the regulation had been followed, that would not have been the case. However, although I cannot say too much, I have instigated changes to improve information security within the Department, and I am happy to brief the hon. Member on that.
The “Manual of Protective Security”, the modern rules that govern information security, is, I believe, fit for purpose; it is really the training and the adherence to it that must be improved. I am graduate of something called the classified documents handling course from the early ’90s—I think I am the only saddo who actually knows what type of lock should be on what type of cabinet that links to different types of security classifications. Nevertheless, information security is not something that western Governments are good at, which is why our adversaries seem to be. We have to improve it, and we have to stand by it.
The Taliban, or obviously any Government that control a country, have control of the telephone network. I cannot say too much about what they can and cannot do; suffice it to say that the method we used to communicate with those people is a way of minimising that risk. One of the reasons we involve emails rather than telephone calls is to try to do that, which is important.
On resource, right from the beginning of this process, way back in August, or in July, I was very clear with my senior military commanders and civil servants that they would have whatever resource they needed to process emails and carry people out, for example. We will fly these people back from third countries out of the MOD budget. It is my view that we should continue to stand by them, including using married quarters, for example, in military establishments to look after them if they cannot get places elsewhere. There has not been a resource problem; the challenge is whether people have been asking for the resource within the system to do this.
The individual concerned was a member of the Ministry of Defence, but I am very keen that it is not just the poor person who drafts the email who is held to account, but the chain upwards, to ensure that this does not happen again.
I am delighted to hear from my right hon. Friend just now that Admiral Key has got a knighthood. There has not been one earned by anyone better for many years.
The challenge of this event is not the accident, the mistake, that we can see happened. I think we all sympathise with the Ministry of Defence and indeed the Secretary of State; accidents do happen. The challenge is that there are people still there and that the co-ordination for getting people out is still complicated. Will my right hon. Friend commit to working to get a single point of contact for all those in Afghanistan who are seeking to leave? The system whereby some have to apply to the MOD, and others to the Foreign Office or through the Home Office, is excessively complicated and is leading to obstacles, including on at least four different occasions that I can speak of. People are stuck in Lashkar Gah, Kabul or Mazar-e-Sharif, trying to get out, but they are still not getting the smooth transfer that we need.
I am grateful to my hon. Friend, who makes a really important point. I would ask colleagues to have some understanding of this. The MOD, which is of course charged with defending the nation, has in very short order had to turn part of itself over to processing visas and doing the job that traditionally we would have done in the Home Office. We have taken that on ourselves because of the pace, urgency and, in the earlier time, danger.
As I have said, 68,000 emails arrived, many of which are speculative, concerning refugee status, so not even for the Foreign Office. It is a very big enterprise to take on, which is why I was determined to give all that resource. However, I would ask colleagues to remember that, at the same time, we are doing that in an Afghanistan that we have no control over. We are doing it in what for many is a dangerous environment, with the Taliban clearly in some cases actively seeking out people that they wish to deal with—murder, or whatever they are up to. At the same time, we are dealing with an ever-moving situation on the ground, and not everyone who comes out communicates back.
When I look at the spread of where people have gone to third countries, we find people in Australia, people who got on the next flight, people in other parts of Europe and people in the United States. The United States brought some people back to Germany who immediately claimed asylum to the United Kingdom. We find, when we contact people, that some are saying, “Thank you very much, but I am quite happy to stay where I am in sunny California or Australia or somewhere like that.” Some have been here for a very long period of time and have not engaged.
The next stage, which I commissioned today, is, quite rightly, a full and detailed survey of the people we have brought back to know even more about them. Obviously, there are data protection issues we have to cross, but it is really important that we get to the bottom of that.
This is another in a long line of serious errors regarding the Government’s Afghan relocations that will cost lives. Can the Secretary of State please advise us how many of the 260 interpreters the Government have been unable to make direct contact with since the breach?
Of the 260, there were eight we have not had comms with since the end of Operation Pitting. We have continued to try. The data breach happened at about 5.30 yesterday afternoon and we have engaged with as many of them as possible. I can give the House a rolling update of how many of the 260 have responded. A number have already changed their email address. There is a link in the email that allows them to communicate that securely, but I will keep the House updated on exactly the number as we go. The other point is that the numbers are changing every day, either because people crop up and say, “Actually, I’m in London or Australia,” or because of what is happening on the ground and they make it across the border. Often, when they are travelling, they are not in communication.
Between 2001 and 2014, UK forces employed 2,850 interpreters. From 2014, they were on sub-contracts, so we are looking at 300 or 400 more. The relocation programme up till April this year relocated 440 interpreters. I can account for about 99 interpreters who were rescued during Operation Pitting. What assessment has the Secretary of State made of how many interpreters—not families, but interpreters—the MOD has been able to rescue from Afghanistan? It jars slightly with numbers in the low hundreds that he is presenting to the House today.
I am listening to my hon. Friend. Where I take issue with him is that it is not 99. Some 650 principals, not families, came out through Operation Pitting. There were: 850 under categories 1 and 2; 836 under category 4; and 50 under other categories. Some 650 of those were interpreters either through contractors or directly employed, or supporting in the contractor role.
The Secretary of State’s anger at hearing the news is not in any way misplaced, and I thank him for coming to the Chamber and making his statement. It seems to me that there is a wealth of difference between a mass email and individual one-to-one contact. Can I seek an assurance that every one of the people we know about is in proper one-to-one contact, either by text or other means, with somebody in the Ministry of Defence or the FCDO who can mentor them, talk to them and help them face this huge problem?
I cannot give the hon. Gentleman the assurance that they have all replied, but we have absolutely taken a view that they should be case managed, on top of the weekly update. To do that, we find it is best through email because of the security issues. Earlier on I was pushing for voice, but actually—I made the point about the Taliban being in control of the telephone network—we are probably better doing it through other means, so it is important that we do that. He is absolutely right. Only today, I pressed on unlimited resource. How many people have we got working on this? Why do we not have more? We have, in total, 50 people dealing with the ARAP scheme. One of our biggest challenges in the past two weeks was clearing or separating away the 68,000 to focus on the people who come within the criteria that we can put the resource on to. The hon. Gentleman’s ambition and my ambition are the same: we are there, but it is often in slow time because of the delay in the response to our emails.
Internet banking constantly asks customers if they are sure they wish to proceed. Surely it would not be too difficult to have an automated reminder or check, if it looks as if an email of a sensitive nature is going to be sent to multiple recipients? In that connection, I have here a printed list of 70 former long-term employees on British contracts in Afghanistan. I propose to hand it to the excellent new Parliamentary Private Secretaries to the Defence ministerial team. When I am informed of a secure address to which I can send it electronically, I will be happy to do so.
The base at PJHQ is open to all manner of communication to those individuals, whichever way best keeps them safe and secure. I welcome my two new PPSs, my hon. Friends the Members for Stourbridge (Suzanne Webb) and for Bracknell (James Sunderland), to the role. What a day to start, but I look forward to working with them. The key here is to engage throughout the process with parliamentarians to make sure that I can keep them as informed as possible.
I am looking at that, both in case management—some case management should already be being used—and in mailing provision. If we do a mass mail, how can we improve that—Mailchimp or that type of thing.
Our nation owes a huge debt of gratitude and honour to the people who helped our forces when they were deployed for 20 years in Afghanistan. Can my right hon. Friend confirm that the offer to relocate and assist in bringing them back is open-ended, and we will do whatever we can, even if it takes years to do it, to open up and offer that assistance and help?
Yes, the ARAP scheme is open-ended. It will continue and it is an obligation we will stand by. I suspect that, given the nature of that part of the world, people will come through in dribs and drabs. We may find that in four and five years’ time, people come across the border. There is also a challenge when we have the principal in the UK though their families, who are not British citizens, are in Afghanistan. They are eligible; they will be able to come forward. We have to make sure that they are managed. I am hopeful that they are at lesser risk than the principals, because they are often the women and children, but that does not mean to say that we should not have the same urgency and anxiousness for their safety.
First, we had secret documents on Afghanistan left at a bus stop in Kent. Now, we have this latest breach of security. I say to the Secretary of State that it has become a little habit forming in his Department to have information leaks. Can I ask him directly: does he have confidence in his Department’s ability to handle sensitive and secret information? He says he has instigated a review. How can he ensure the lessons learned go all the way through the chain of command so it does not happen again?
I think the best way to do it is by personal supervision. I fundamentally agree with the right hon. Gentleman’s point. We are in a world with even more data and we have to be even more careful. Our adversaries are even more aggressive in finding it. Where there was a breach recently, I took action: that individual is no longer in the Department. In this case, the individual is suspended. However, the right hon. Gentleman is right. Information security should go to the fingertips of organisations, from the most junior to the most senior. I have to say, having been the previous Security Minister, that I have seen some pretty bad examples in the last few years.
There is no doubt as to the frustration and the heartache of the Defence Secretary about this situation. In the correspondence we are having with those still on the ground, recognising that the situation is changing and that we are not on the ground, can he reassure us that extraction advice or advice on how to get to borders is being given to those still on the ground who do not have intel themselves and are too scared to move from where they are currently in hiding?
I have been contacted about the harrowing case of a man who worked as a UK contractor on a UK project for many years and had a specific directed threat from a senior Taliban official. He fled his home with his family, but when his wife returned to the house to collect some belongings a few days ago, the Taliban arrived and she was shot in the head. She died a couple of days later.
The man applied twice for the ARAP scheme and has still not had a reply. Please could the Secretary of State make sure that this case is pursued? Could he also make sure that everyone who has applied gets a personal response? Will he confirm that contractors on UK projects whose families and who themselves are at mortal danger from the Taliban are eligible for the ARAP scheme?
On the criteria for the ARAP scheme, I point the right hon. Lady to the website, but what I can say generically is that contractors and the directly employed, if they come under that umbrella of the ARAP scheme, are eligible. I would be very happy to look at that case.
We assess that, despite the huge number of extra applications that have come in since we left, there are approximately 900 credible further cases of ARAP to bring forward; we are processing them at the moment, on top of the 311. We have already brought back 50 from that cohort and we will continue to bring those people out or from third countries where we find them.
The case that the right hon. Lady raises is the most worrying part. Despite the warm words of the Taliban when they started their effort to run the country, we have seen significant numbers of such incidents occurring, which only adds to my sense of sorrow about what happened today.
I commend the Secretary of State for his response to the urgent question, for the action that he has taken and for all his efforts throughout Operation Pitting. Quite a few numbers have been cited around the Chamber; I think he said that there had been 68,000 email applications to ARAP, and I believe that the shadow Secretary of State, John Healey, said that 7,900 had been processed and 900 had been approved. Could we have a definitive list of the applications received, those being processed and those approved?
If my hon. Friend accepts that it will be rolling, because it is moving, I will be happy to write to him with details of a fixed period of time. Obviously those vast amounts were from a range of people and were speculative about potential refugee status as well as ARAP; part of the resource has been taken up trying to separate the two.
The other thing to say is that the Department and I started on ARAP when I went to see the Home Secretary in September 2020. That was when we realised that the previous scheme was not working, and it was why we took the steps that we needed to take. It was signed off by the National Security Council in December 2020. It is a scheme that is in large parts mature, but the final collapse in Kabul has clearly been the biggest test. That is why we will do everything we can for the people left behind.
This is the fourth data breach this year. Does the Secretary of State agree that his Department has a systemic problem with data security? What steps will he take to fix the issues and ensure the safety of the thousands still waiting to be evacuated? What assurances can he give to the families in my Liverpool, Riverside constituency who are very concerned about the safety of their loved ones who are still waiting to be evacuated?
The assurance that I can give is only limited, I am afraid, given that we are no longer in Afghanistan and given the actions of the Taliban. I think that to give a 100% assurance would be misleading.
On data, as I have said to other Members, it is not good enough. It is not a unique MOD thing, but information security across the board has to improve. We are investing billions of pounds in improving our computer systems and our encryption, which is incredibly important to keep one step ahead. Unfortunately, I cannot talk about a lot of it in public, but it takes significant commitment, funding and British know-how.
I am grateful for my right hon. Friend’s characteristic candour in addressing the issues. The sad fact is that we will probably see another Operation Pitting at some point in our lifetime. Can he assure me that he will work across the board, particularly with our allies, to ensure that information security standards are improved and that we continue to be at the forefront of protecting the most vulnerable in the world?
I think that the lesson learned is that this was an evacuation in the 21st century in which emails, WhatsApp, Twitter and Facebook were a running commentary, but the inboxes of serving officers and soldiers in Kabul on the operation were also filling up with emails from former colleagues in the hundreds, saying “Can you get X and Y out?” It would not have happened in my day, because we did not have that type of network. It is a new phenomenon; today I met the Five Eyes chiefs of defence staff, for example, and we discussed the change.
We will have to take into consideration how we do many operations in the full glow of social media, with people out there who can communicate but who might not be safe. Usually, we equate being able to communicate with being safe; now we are in a very different world. I think that that is a lesson for all militaries around the world to learn.
An Afghan family I saw at my surgery yesterday told me that a relative working with coalition forces had been literally blown to bits by the Taliban in a targeted assassination two days before they took Kabul. Other relatives are similarly at risk, but the response that I have had from the MOD says that they are not eligible for ARAP. We are assembling more evidence in that case, but as I have had only four replies to more than 100 live cases, I am not hopeful. Even if they are accepted on the scheme, what do I tell them to do next?
I understand the hon. Member’s desire to manage his individual cases, but we are doing everything we can with the people who are referred to us, either via Members or directly through the application process. We are putting all our resource into dealing with them. We will keep colleagues and Members up to date as much as possible, but if he wants specific advice for each case, I urge him to make sure that it is delivered by the people who are co-ordinating it. If there are people who are not eligible and who he thinks should be eligible, I will be very happy to look again at their cases, if he writes to me with the details, and make sure that we see what we can do.
I thank the Secretary of State for his statement and for his commitment to update the House after the recess. When he does so in five or six weeks’ time, will he please ensure that he gives an accurate assessment of the additional threats and intimidation that Afghan nationals face as a result of the data breach? I am concerned less about the technical nature of the failing, however important that is, than about the lives of the individuals and their families.
The right hon. Member puts his question very well. I will be happy to update the House on the threat situation, both for Afghans who worked for us and for us in the United Kingdom overall, and on any growth in the terrorism threat from Afghanistan.
Asking people simply to change their email address seems woefully inadequate, given that names can be extracted from email addresses. What additional security advice has the Secretary of State given to the interpreters on the email list and their families?
As I have said, they will be contacted or have been contacted. Where, on a one-to-one basis, there is a case management process, we will try to tailor advice on counter-intelligence methods, on how people can protect themselves and on locations that we think are safer.
Although the breach is in his Department, will the Secretary of State outline what discussions he is having with his counterparts in the Foreign Office and the Home Office? Are any specific measures being taken now to secure information on all cases processed? What assessment can he give of how the Ministry of Defence ensures that the correct information goes to the correct part of Government so that we can help those we have a duty to help?
Among the 50 personnel working on the ARAP scheme in PJHQ, there are a number embedded in other Departments whose main job is to liaise on everything from Parliament all the way through to the Home Office and the Foreign Office, to ensure that information is cross-checked. Some of it is cross-checking, because some of the applicants have applied to all schemes, but I hear what the Chair of the Foreign Affairs Committee, my hon. Friend Tom Tugendhat, said about the demand for a single point of contact, which might help going forward.
I have a constituency case about which I have written to the Home Office. It relates to an 18-year-old woman who married a British constituent of mine. Her father worked as a translator for a number of allies in Afghanistan, albeit not the UK. Her parents and siblings may be evacuated, but she will be left behind, alone and vulnerable. This data breach is only exacerbating the worry and distress that she feels, still stuck in Kabul. What discussions has the Secretary of State had with colleagues about how such vulnerable citizens will be supported?
The hon. Lady has raised a challenging case. The person concerned is probably an adult, she is not herself the interpreter, and he worked for a third country. However, if the hon. Lady sends me the details, I shall be happy to approach that third country to see whether we can assist in the case, or get them to assist in it.
I thank the Secretary of State for his dedication to the job in hand, and for answering these questions as well.
In Northern Ireland, the Royal Irish Regiment, the Police Service of Northern Ireland, prison officers and elected representatives are only too well aware of the awful feeling of knowing that one’s safe haven—one’s home—is endangered What has been done to help those who responded with personal details to enable them to relocate quickly and safely in the interim?
The first thing to do is establish contact with as many of them as possible, which we are doing, and I have offered to update the House on how many we have contacted. I will see what I can do by the end of today, or certainly by the end of this week. We need to establish new contact details and get some assurances about them, but at the same time we need to start or continue the one-to-one management of their cases.