Defence ministry’s newly published annual report and accounts shows rise in ‘unauthorised disclosures’ the Information Commissioner’s Office has not been told about as well as major writedowns on tech projects
The Ministry of Defence posted a double-digit rise in personal-data-related incidents in the last financial year, its just-published annual report and accounts for 2024-25 has revealed.
According to the document, which was laid before parliament last week, the department logged 651 personal-data-related incidents over the 12-month period – a 14.4% hike on the previous year.
The MoD’s handling of sensitive data has come under increasing scrutiny in recent months after details of a massive data breach affecting Afghan nationals who had previously worked for the UK government emerged in July.
That breach, which affected more than 18,000 people, occurred in February 2022 but was only discovered by the MoD in August 2023. A super-injunction covering the breach meant details of the incident could only be legally published this summer.
Watchdog the Information Commissioner’s Office described the 2022 breach as an “unacceptable” and “deeply regrettable” incident that had “placed thousands of vulnerable people at risk”.
The 651 personal-data-related incidents recorded in the MoD’s latest annual report and accounts are described as errors the department’s data controller determined were not serious enough to require reporting to the ICO.
Related content
- MoD lifts lid on almost 50 data breaches affecting Afghan resettlement schemes
- Top MoD official ‘deeply uncomfortable’ with secrecy over Afghan data breach
- ICO says MoD Afghan data breach ‘unacceptable – and should never happen again’
A breakdown of the figures shows a significant increase in “unauthorised disclosure” incidents, which rose from 411 in 2023-24 to 499 in 2024-25.
Conversely, there was a dramatic fall in reported losses of inadequately protected electronic equipment, devices or paper documents from secured government premises. That category of incident fell from 40 in 2023-24 to 19 in 2024-25.
Losses of inadequately protected electronic equipment, devices or paper documents from outside secured government premises remained stable – with 32 such incidents reported for both years.
Personal-data-related incidents categorised as “other” increased from 85 in 2023-24 to 101 in 2024-25, an 18% year-on-year hike.
The 2023-24 figures recorded one incident of “inadequately protected” paper documents being disposed of insecurely. There were no such incidents recorded in 2024-25.
PublicTechnology asked the MoD for its explanation for the overall increase in personal-data-related incidents in the 2024-25 annual report and accounts.
It said that since last year’s general election, the new Labour government had been working to improve data security across the department through better software, training and data experts.
The department said the increase in reported unauthorised disclosures was likely to be due to improved organisational awareness and enhanced reporting practices, driven by significant efforts to strengthen data-protection compliance.
A spokesperson said: “We take data security extremely seriously and are committed to ensuring that any incidents are dealt with properly, and that we follow our legal duties.”
The department added that recent internal and external reviews had enhanced organisational understanding of data protection compliance, contributing to a “more robust and proactive approach” to safeguarding personal data.
Tech spending forms part of £1.9bn written off on project cancellations
Elsewhere in its annual report and accounts, the MoD lists £1.9bn in financial losses related to cancelled projects, some of which are tech-related.
A loss of £5.2m is ascribed to “Cancellation of the Operational Support Tool (Digital Foundry)”.
Digital Foundry is part of Defence Digital, which works on leading IT projects and programmes to support the armed forces in current and future operations.
The MoD said the Operational Decision Support Tool – known as OpDST – was a capability developed to provide an “advanced, integrated decision-making platform to support complex defence and security operations”.
Its intended benefits were to improve collaborative working and the quality and speed of decision-making.
However, the UK Strategic Command Executive Committee directed the deletion of the project in February last year as part of wider departmental cost-saving measures.
A further £2.2m of losses is attributed to the cancellation of the Payload Data Ground Segment Project, which was a bespoke payload processing solution developed by aerospace giant Airbus.
The MoD told PublicTechnology that hosting, networking and security requirements for the project were “found to be complex” and attempts to meet them caused significant delay to the delivery and installation of the system at the Defence Science and Technology Laboratory.
The department said that in March this year it had been decided that the system was “no longer affordable or feasible” and ownership was returned to Airbus.
