PARLIAMENTARY DEBATE
Defence Personnel Data Breach - 7 May 2024 (Commons/Commons Chamber)
Debate Detail
The contractor-operated system in question holds personal data of regular and reserve personnel and some recently retired veterans. That includes names and bank details, and—in a smaller number of cases—addresses. In response to the incident, we have undertaken significant and immediate action, enacting a multi-point response plan to support and protect our people. I would like to provide the House with details of this eight-point plan.
First, we immediately took the system offline. That has secured it against similar future threats. Secondly, we have launched a full investigation, drawing on Cabinet Office support and specialist external expertise to examine the potential failings of the contractor and to minimise the risk of similar incidents.
Thirdly, while our initial investigations have found no evidence that any data has been removed, as a precaution we have today alerted those service personnel affected through the chain of command. In addition, we are also sending out letters to a small number of veterans who have retired and who may have been affected as an additional precaution. The House will wish to note that the vast majority of the UK veterans community is, however, unaffected.
Fourthly, specialist advice and guidance on data security has been shared and will be available on gov.uk later today. Fifthly, we have additionally set up a helpline to support individuals. The number for the helpline is 01249 596665, and it will be available from today.
Sixthly, we are providing a commercial personal data protection service for all service personnel. That facility will constantly monitor each individual’s personal data and notify them if there are any irregularities. Even though we do not believe that their information has been stolen, we intend to do that in order to bring further peace of mind.
Seventhly, welfare and financial advice is available where needed through each individual’s chains of command.
Eighthly, on becoming aware of the incident, the MOD stopped the processing of all payments and isolated the system. I want to provide further detail on that step. We are making changes to the system to ensure that it is secure before recommencing payments through it. I confirm, though, that, in the meantime, all April salaries have been paid. Some service personnel will have experienced a slight delay in receiving some expense payments; however, we expect that to be fully resolved today, with the money in their accounts by Friday.
Furthermore, I confirm that we are ensuring that all high-value payments remain unaffected. For example, all outstanding Forces Help to Buy and terminal benefits payments have been facilitated by alternative secure transfer. As mentioned, salary payments and pensions for veterans have not been affected, and we do not expect them to be.
For reasons of national security, we cannot release further details of the suspected cyber-activity behind the incident. However, I can confirm to the House that we do have indications that this was the suspected work of a malign actor, and we cannot rule out state involvement. The incident is further proof that the UK is facing rising and evolving threats. As I set out in my speech at Lancaster House in January, the world is, I am afraid, becoming somewhat more dangerous. Last month, the Government therefore announced an increase in defence spending to meet those new threats, reaching 2.5% of GDP by the end of the decade.
Following this incident, I can announce today that although this incident is entirely unrelated to our own MOD networks, we are also reviewing all personnel data networks to ensure that our people’s data is secure. This was the work of a malign actor who compromised a contractor-run network entirely separate from the MOD core system. However, as I have said, we cannot at this stage rule out state involvement from elsewhere. This eight-point plan outlines the immediate and significant action we are taking to protect our most precious resource: our people. Even though this occurred on a contractor’s system, with a malign actor involved—and we cannot rule out foreign state involvement—I want to apologise to the men and women affected. It should not have happened, and this eight-point plan seeks to ensure that it is put right and cannot happen again. I commend the statement to the House.
There will indeed be serious concern in the MOD that news of this big data breach was splashed across the media before the Defence Secretary could set out the facts to Parliament. My overriding concern is for the safety of serving personnel and veterans affected, worried about the risk to themselves and their families and hearing first about the data being hacked from the media and not from the MOD. Our military put their own security at risk when they serve on the frontline, and the very last thing they should have to worry about is their data security back home. Any such hostile action against our forces is utterly unacceptable, and their protection must be the first-order priority for the Defence Secretary, whether on operations abroad or for their data at home.
Despite the Defence Secretary’s statement, he still has many serious questions to answer. On the breach itself, who held the data that was hacked? When was it discovered? When were Ministers told? How was it leaked to the press? On the contractor, Defence Business Services says that Shared Services Connected Ltd has the MOD contract for core payroll and other business services. How many contracts does SSCL or its parent company, Sopra Steria, have with the MOD? What action has been taken by other Government Departments with similar SSCL contracts? On forces personnel, how many serving personnel and veterans have been hit by the hack? Has every serving full-timer and reservist been affected? What support is being offered?
On last night’s media reports, has a leak inquiry been launched? The MOD’s data security record is getting worse while threats against the UK continue to rise. There has been a threefold increase in MOD data breaches in the last five years, with 35 separate MOD breaches reported to the Information Commissioner’s Office and a £350,000 fine last December. Sub-contractors are well known to be the soft underbelly of security, and this latest hack raises serious questions about how the MOD manages its outsourced services.
The media have clearly been briefed that China is behind the hack, but the Defence Secretary tells us only about a “malign actor”. The Government rightly have a rigorous system before official accusations or attributions are made, but if this data breach is found to have been carried out by a hostile state, it would represent a very serious threat to our national security.
The Government have been warned. The Intelligence and Security Committee confirmed in its China report last year that cyber-attacks by hostile states now happen daily, and now our wider armed forces community are being targeted. However, the Committee also found there was no cross-Government China strategy, “completely inadequate” resourcing, and defence intelligence with no systematic record of resources focused on China.
The Defence Secretary knows that we are united in this House. We will not stand for any such attacks and, with threats increasing, such flaws in our cyber-security must be fixed. Only then will we make Britain secure at home and strong abroad.
The chosen date to announce this breach was today, to ensure that we would be able to secure the systems, back up and make sure everyone had their payments made, even if it was not through those systems. The media release last night was coincidental and unwelcome, as far as we were concerned, but unfortunately a lot of people are involved in this. He asked how many personnel had been affected, and the number is 272,000. I stress that that means it is up to that number; the number is still being refined and will probably end up lower, but none the less it is a large number of people and they may have noticed that bank payments were not made, so some of the media will have picked up on that.
The right hon. Gentleman is right to say that the welfare of our personnel is our absolute first priority. I hope that he will agree that the eight-point plan focuses heavily on that and consists of ensuring that they are getting every bit of help and support required. Although we do not think the data is necessarily stolen, we are making the assumption that it has been in order to ensure that personnel get the support required, including through their own data monitoring services, which we are providing to each and every one of them, whether or not they are affected in this particular case.
The right hon. Gentleman has named the contractor involved, and I can confirm that that is the correct name, SSCL. As I mentioned in my statement, we have not only ordered a full review of its work within the MOD, but gone further and requested from the Cabinet Office a full review of its work across Government, and that is under way. I also briefly mentioned specialists being brought in to carry out a forensic investigation of the way this breach has operated.
Data breaches and this level of attack are nothing new, but the right hon. Gentleman is right to point out, and the House will be aware, that these attacks are growing, to the extent that the MOD’s networks are under attack millions of times per day, and they successfully repel those attacks millions of times per day. I stress again, particularly for servicemen and women listening, that this breach does not contain data that is on main MOD systems, and which is of even greater concern to us. It is right that we invest in protecting the systems to ensure that these data attacks are repelled and are not successful.
I would gently say to the right hon. Gentleman, as I think he might expect me to, that one of the best ways to do that is to invest in defence. That is why we are committed to a 2.5% increase, with a fixed timeline and a plan to pay for it, because it means we will be able to do more things, including investing further in cyber-security.
My right hon. Friend asked specifically about the ongoing work with the particular contractor. The Cabinet Office is calling in specialist analysts who will carry out that work over the coming weeks. There are two separate tracks in respect of the contractor in the MOD but also, separately, in the different places across Government that my right hon. Friend rightly identified. I stress to the House—because I suspect that this will be brought up a number of times—that we expect very high standards from our contractors that work with the lives and livelihoods of our service personnel, so we will take all appropriate actions.
There is a bit of concern about the contractor, because it has previous when it comes to delivering Government contracts. Notably, there was a scandal over NHS business services and the running of immigration application systems. Given the seriousness of this issue for the Ministry of Defence, will the Secretary of State advise the House on whether he has confidence that the contractor is able to continue to deliver the contract? Will he consider a review of the specific armed forces payment network element and whether the contract should be brought back in-house and delivered by the MoD, rather than by some conglomerate based in Paris?
May I ask my right hon. Friend a very simple question? The FBI director has said that China has a cyber-espionage capacity so vast that it dwarfs everybody else’s, and we now know the record of all the direct attacks on us in the House, as the Chair of the Foreign Affairs Committee, my hon. Friend the Member for Rutland and Melton (Alicia Kearns), said. Given that the Deputy Prime Minister said in 2023 that the Government were considering placing the People’s Republic of China into the enhanced tier of the foreign influence registration scheme, why in heaven’s name do we not now place this malign actor in that tier and deal with it accordingly?
I want to ask the Secretary of State about a point that has been made by a number of Members. The outsourced contractors are clearly the weak spot in our system. Will he commit to examining and analysing every single subcontractor, with a view to bringing them back in house in the light of the threats we face?
If it was weak security with the contractor, does that mean it was not a state actor? If the contractor had a high level of security, do we assume it is more likely that a state actor was behind the breach? If there was a state actor behind it, do we assume that it is China, because it has form on stealing mass data and has done so from the US federal Government?
My right hon. Friend is absolutely right about this. He is a champion for ensuring that these contractors do the jobs they are actually paid to do. We are now trawling through all the detail and, as I have said before, we will not leave this hanging. We will take every appropriate action because, as he might imagine, my entire team and I are very concerned about the welfare of our personnel—brave men and women who do not deserve to have this happen to them. We do not want to see it happen in the name of the MOD, either.
I will not reiterate each of the eight points. However, through the chain of command, the phone number that is now available, the information going on gov.uk and the wraparound services, including the fraud-checking service that staff will now individually have access to and many others, I hope personnel are reassured. Remember that we do not think the data has necessarily been stolen, but we are behaving as if it has in order to provide absolute security.
Who in the Cabinet Office is charged with this responsibility? Is it the National Security Adviser? Which Cabinet committee is overseeing this? Is it the National Security Council itself? I hope so. Which Deputy Chief of the Defence Staff is responsible for cyber-security? Who will be responsible for making sure that all these elements are working together to conduct this review very thoroughly? I suggest that the Secretary of State brings forward a White Paper very shortly on the lessons learned from this incident and others, to provide the reassurance that not least our service personnel need.
My hon. Friend asks who in the Cabinet Office is charged with this responsibility, and I have spoken directly with the Deputy Prime Minister to make sure it is set from the very highest levels. My hon. Friend also asks who has overall responsibility, and it is the excellent Chief of Defence People, Phil Hally, who is very good. He has now chaired, I think, 11 internal meetings on this issue, in order to get everything ready for this afternoon. As I have said, it is with deep regret that we did not quite make it to today before the news started to break late last night. Phil Hally is responsible and will continue to be responsible for those efforts.
Members on both sides of the House have pushed this point hard, and I will make sure that it is not buried or lost in process. I will return to this House. I cannot promise to do that in the next few days, as the Butler process takes a while, but I will not allow it to drop. The House has my undertaking on that issue.
In answer to my hon. Friend’s specific question, a commercial organisation will now be monitoring the personal data of the individuals affected. That would include, for example, the data being used in a suspicious way, appearing on the dark web, or any other outcome. In a way, an additional layer of security will be attached to these individuals. Again, I can confirm that, as of this moment, we have seen no suspicious activity at all on those accounts.
Lastly, on the wider points, can the telephone helpline be used by anyone concerned about late payment of miscellaneous expenses? Will the Secretary of State relay to the Deputy Prime Minister my strong view that the time is ripe for a Cyber Re, or reinsurance, in the same way that we created Flood Re a while back, precisely to deal with the likely costs for small authorities, such as those alluded to, of having to repair their cyber-defences against such future attacks?
Contains Parliamentary information licensed under the Open Parliament Licence v3.0.