Recommendation 15

We asked the Department about its response to a data breach which occurred in September 2021 relating to the ARAP scheme.31 The Department told us that it had engaged with the ICO in the autumn of 2021 follow multiple data breaches.32 The Department disclosed three data breaches which occurred in September and October 2021 in its 2021–22 Annual Report and Accounts.33 The Department said that its response was specific to the nature of those data breaches. This included requiring a second person to check emails which were sent outside the Department’s IT systems, and a system alert if the sender tried to email more than a certain 27 Information Commissioner’s Office, Record of ICO [Information Commissioner’s Office] involvement in the data breach announced by the MoD [Ministry of Defence] on 15 July 2025, para 16cii4a, July 2025 28 Letter from Ministry of Defence, 7 October 2025 29 C&AG’s Report, para 12 30 C&AG’s Report, para 16 31 Q 2 32 Q 9 33 Ministry of Defence, Annual Report and Accounts 2021–22, page 68, July 2022 11 number of addressees.34 The Department said that, once it discovered the February 2022 data breach, it carried out a much more fundamental review of its data protection and information handling policies, training and systems.35 In correspondence received after our evidence session the Department said that, since 2023, it had implemented further software improvements, alongside reviewing its processes and polices. In addition, it noted that that all staff are mandated to undertake various data and e-learning courses that offer awareness of good data management practices, and that it has produced bespoke training and educational materials to assist staff in putting their learning into practice.36