The UK's data protection regulator has defended its decision not to pursue further action against the Ministry of Defence (MoD) over a serious data breach that exposed personal information of Afghans who assisted British forces.

The Information Commissioner's Office (ICO) said the incident caused considerable harm but concluded additional investigation would not deliver greater benefit. The office stressed that organisations must handle data with greater care to avoid such damaging consequences.

The breach occurred when a hidden dataset in a spreadsheet was mistakenly shared under the pressures of a UK military operation. While the sender believed only limited data was being released, the spreadsheet contained much more information, some of which was later leaked online.

The ICO has already fined the MoD ￡350,000 in 2023 over a previous incident related to the Afghan relocation programme. The regulator confirmed that in both cases, the department had taken significant remedial action and committed extensive public resources to mitigate future risk.

Although the ICO acknowledged the incident's severe impact, including threats to individual lives, it decided not to divert further resources given existing accountability, classified restrictions, and national security concerns.