On 15 July 2025 the Defence Secretary told the House of Commons about a large-scale data breach that had taken place in 2022, when a Ministry of Defence official emailed a spreadsheet to an external contact, unaware that it contained details relating to 18,700 Afghan nationals applying for relocation.
In the wake of this, and other serious public sector data breaches, the committee chair wrote to the Chancellor of the Duchy of Lancaster, the Secretary of State for Science, Innovation and Technology, and the Information Commissioner, to find out more about data hygiene and data management practices across government. This led to the publication in August 2025 of an Information Security Review which had been undertaken by the Cabinet Office in 2023 but not published. In August and then October 2025 the government announced further details of their intended response to the Afghan data breach - and others like it – and the subsequent review.
On 21 October 2025 the committee questioned the Information Commissioner about his office's response to the February 2022 breach and wider learnings for government information and data security. In February 2026, the committee will question the Security Minister and Minister for Digital Government and Data on how the government has responded to the breach, and implemented the recommendations made in the Information Security Review.