Secret review of 11 major breaches kept hidden for 22 months, sparking outrage and safety fears

The government is under mounting pressure to explain why it buried a critical review into major data breaches for almost two years and why it has still failed to implement all of its own recommendations.

The long-delayed report, finally published on Thursday, examined 11 breaches across the public sector that exposed the personal details of thousands of people — including Afghans who worked with the British military, survivors of child sexual abuse and disability claimants.

The review, completed in 2023 by Cabinet Office officials, was ordered after the catastrophic leak of personal information about 10,000 officers in the Police Service of Northern Ireland. Yet ministers kept it under wraps until now, releasing it only after repeated pressure from MPs and the Information Commissioner.

Investigators identified three recurring failures that lay behind the breaches. First, sensitive data was being casually downloaded or exported in bulk, often without safeguards. Second, confidential information was regularly sent to the wrong people by email, with civil servants failing to use the bcc function properly. Third, hidden personal details often remained embedded in spreadsheets released publicly, exposing information that was never meant to be seen.

The timing of the report’s release has drawn particular anger. It comes just weeks after the disclosure of a database containing the personal details of nearly 19,000 Afghans who had assisted British forces. That breach left many fearing for their lives under Taliban rule and forced the UK to quietly expand a relocation scheme.

Chi Onwurah, the Labour MP who chairs the Commons science, innovation and technology committee, accused ministers of stonewalling. “It’s concerning that it took an intervention from my committee and the information commissioner to make this happen,” she said. “The government still has questions to answer. Why have only 12 of the 14 recommendations been implemented? And why keep the very existence of this review a secret for so long, even after the Afghan breach?”

The government insists it has acted on most of the recommendations, but declined to specify which two have been ignored. The unpublished proposals range from reviewing sanctions for negligence to working with the National Cyber Security Centre on stricter technical controls and launching a cross-government campaign to curb poor information handling.

John Edwards, the information commissioner, warned ministers that half-measures would not suffice. He urged them to go “further and faster” to bring Whitehall and the wider public sector up to standard. In a letter to Cabinet Office minister Pat McFadden, he said: “As a matter of urgency, the government should fully implement the recommendations of the Information Security Review.”

In a joint response, McFadden and Peter Kyle, the science and technology secretary, acknowledged progress but admitted the problem remained serious. “Good progress has been made but we must guard against complacency,” they wrote. “This is an area on which we must keep a consistent focus to ensure standards continue to improve.”

The government’s official line is that the review had been commissioned by the previous administration. A spokesperson said: “Protecting national security, including the security of government data, is one of our primary responsibilities. Since taking power, we have strengthened security guidance across departments, updated mandatory training for civil servants, and announced plans to upgrade digital infrastructure across the public sector as set out in our Blueprint for Modern Digital Government.”

But critics argue that the delayed disclosure, coupled with unanswered questions about incomplete reforms, risks destroying public trust. At stake, they warn, is not just the protection of data but the safety of vulnerable people whose details have already fallen into the wrong hands