Recommendation 17

The Department first became aware of the data breach on 14 August 2023, 18 months after it occurred, when personal details of 10 individuals from the dataset were posted online on Facebook.40 Following its discovery of the data breach, on 25 August 2023 the MoD decided to apply to the High Court for an injunction to prevent the data loss becoming public. Although the MoD did not originally apply for a ‘super-injunction’, on 1 September 2023 the High Court granted this form of legal ruling, which prevented disclosure of both the data breach and the existence of the injunction itself.41 The Department told us that in the two-week period between it becoming aware of the breach and the super-injunction being put in place, it was learning about the scope of the breach and the likely consequences. It was not at the forefront of officials’ minds that it was appropriate to notify the Public Accounts Committee (PAC).42