My Lords, with the leave of the House, I shall now repeat a Statement made yesterday in another place by my right honourable friend the Secretary of State for Defence. The Statement is as follows:
“I would like to update the House on a data incident involving activity by a malign actor. In recent days, the Ministry of Defence has identified indications that a malign actor gained access to part of the Armed Forces payment network. That is an external system, completely separate from the Ministry of Defence’s core network, and it is not connected to the main military human resources system. The House will wish to note that it is operated by a contractor, and there is evidence of potential failings by it, which may have made it easier for the malign actor to gain entry. A specialist security review of the contractor and its operations is under way, and appropriate steps will be taken.
The contractor-operated system in question holds personal data of regular and reserve personnel and some recently retired veterans. That includes names and bank details, and—in a smaller number of cases—addresses. In response to the incident, we have undertaken significant and immediate action, enacting a multipoint response plan to support and protect our people. I would like to provide the House with details of this eight-point plan.
First, we immediately took the system offline. That has secured it against similar future threats. Secondly, we have launched a full investigation, drawing on Cabinet Office support and specialist external expertise to examine the potential failings of the contractor and to minimise the risk of similar incidents.
Thirdly, while our initial investigations have found no evidence that any data has been removed, as a precaution we have today alerted those service personnel affected through the chain of command. In addition, we are also sending out letters to a small number of veterans who have retired and who may have been affected as an additional precaution. The House will wish to note that the vast majority of the UK veterans community is, however, unaffected.
Fourthly, specialist advice and guidance on data security has been shared and is available on GOV.UK. Fifthly, we have additionally set up a helpline to support individuals. The number for the helpline is 01249 596665, and it is available now. Sixthly, we are providing a commercial personal data protection service for all service personnel. That facility will constantly monitor each individual’s personal data and notify them if there are any irregularities. Even though we do not believe that their information has been stolen, we intend to do that in order to bring further peace of mind.
Seventhly, welfare and financial advice is available, where needed, through each individual’s chain of command. Eighthly, on becoming aware of the incident, the MoD stopped the processing of all payments and isolated the system. I want to provide further detail on that step. We are making changes to the system to ensure that it is secure before recommencing payments through it. I confirm that in the meantime all April salaries have been paid. Some service personnel will have experienced a slight delay in receiving some expense payments; however, we expect that to be fully resolved today, with the money in their accounts by Friday. Furthermore, I confirm that we are ensuring that all high-value payments remain unaffected. For example, all outstanding Forces Help to Buy and terminal benefits payments have been facilitated by alternative secure transfer. As mentioned, salary payments and pensions for veterans have not been affected, and we do not expect them to be.
For reasons of national security, we cannot release further details of the suspected cyberactivity behind the incident. However, I can confirm to the House that we have indications that this was the suspected work of a malign actor, and we cannot rule out state involvement. The incident is further proof that the UK is facing rising and evolving threats. As I set out in my Lancaster House speech in January, the world is, I am afraid, becoming somewhat more dangerous. Last month, the Government therefore announced an increase in defence spending to meet those new threats, reaching 2.5% of GDP by the end of the decade.
Following this incident, I can announce today that although this incident is entirely unrelated to our own MoD networks, we are also reviewing all personnel data networks to ensure that our people’s data is secure. This was the work of a malign actor who compromised a contractor-run network entirely separate from the MoD core system. However, as I have said, we cannot at this stage rule out state involvement from elsewhere. This eight-point plan outlines the immediate and significant action we are taking to protect our most precious resource: our people. Even though this occurred on a contractor’s system, with a malign actor involved—and we cannot rule out foreign state involvement —I want to apologise to the men and women affected. It should not have happened, and this eight-point plan seeks to ensure that it is put right and cannot happen again. I commend the Statement to the House”.
My Lords, I draw your Lordships’ attention to my interest set out in the register as a serving Army reservist.
My Lords, I thank the Government for the opportunity to discuss this Statement again today and the noble Lord for repeating it. He will know that on these matters we are united with the Government. We cannot and must not stand for any such attacks. With the number and level of such threats increasing, we have to do all we can to make our country secure at home and strong abroad, so the news of this grave security and data breach is of real concern to us all. It is particularly alarming given that this is yet another example of an MoD data breach. It is particularly concerning as it involves our Armed Forces personnel past and present.
In the last five years, there has been a threefold increase in MoD data breaches, with 35 separate breaches reported to the Information Commissioner’s Office. Such threats—from state activity and other malign actors—are increasing across government, including attacks on prime contractors and subcontractors, as in this shocking case. Do they not present a soft underbelly to our national security?
Can the noble Lord explain when this breach took place? When did Ministers become aware of it? Reports say that these attacks took place weeks ago, but that Ministers were informed only days ago. Is that the case, or are the reports simply wrong? In these instances, who is responsible for alerting whom, how quickly, and when? Who monitors these contracts? Why did it take this appalling incident to alert officials, as the Defence Secretary said in the other place, to the potential failings of the company now named SSCL? What other potential problems are there? What other government departmental contracts are run by SSCL—or indeed by others—which could also be impacted by this breach? This itself would represent a very real threat to national security. Does any review being undertaken by the Government include all these other prime contracts and subcontracts, stretching across government?
The noble Lord and the Government say that this constraint is now offline, but I am unclear on some of the facts. Can the Minister confirm that all salaries and expenses will be paid by this Friday? Can he confirm how many service personnel, past and present, have been or may have been affected by this breach? In the other place, a figure of up to 272,000 was mentioned. How near to that figure will it be? The Government were unclear about that. What is the Government’s latest estimate of the number of Armed Forces personnel, past and present, who will be affected?
The Minister in the other place went to great lengths to say that a malign actor was responsible for the breach, but he would go no further. Why not? Can the noble Lord explain how it was briefed all over the media that sources believed it was China? Of course, evidence is needed to confirm that, but how did that occur? Has the noble Lord anything further to say about that? When will he be in a position to update us on the outcome of the Government’s own inquiries? Can he also explain how this data breach appeared in the media—presumably through a leak—meaning that Armed Forces personnel found out what had happened through the media, rather than in the proper way? How did all this happen?
This is exceptionally serious. In addition to reassuring our Armed Forces personnel, who, frankly, deserve better, our country, too, needs reassurance. The MoD, the guardian of the nation, is threatened, along with others, and its defences appear to have been breached. Time and again, we also see security undermined in other areas of government. We all hope that the eight- point plan will reassure our personnel, and their welfare must be our top priority. The Government have been warned time and again—not least by recent reports from the Intelligence and Security Committee, for example —about threats from China and others. Why have the Government not taken more urgent action? They need to adopt a more cross-cutting, far-reaching, urgent approach to cybersecurity. We all support the security of our country. We all want our country to be safe. Does this further example of a cyberattack not represent yet another wake-up call to the Government?
My Lords, I agree with the noble Lord, Lord Coaker, that His Majesty’s Government have many questions to answer. I thank the Minister for taking the hospital pass and repeating the Statement to the House this afternoon.
The wording of the Statement is interesting. The Ministry of Defence has identified indications that a malign actor gained access. Did it identify these indications only after the leak to the media, or was it aware of this and trying to deal with matters behind the scenes? It would be helpful to understand whether the MoD has a handle on the data breach.
As the noble Lord, Lord Coaker, has pointed out, there are questions about prime contractors and subcontractors, and the eight-point plan raises some concerns about what is being asked of government departments and our contractors. Point four states:
“specialist advice and guidance on data security has been shared”
and is available now on GOV.UK. This is part of the eight-point plan—after the horse has bolted. Why on earth was this advice not available before the data breach? It is not good enough for the Secretary of State to refer the other place back to his Lancaster House speech and remind us that the world is a “more dangerous” place. We know the world is a dangerous place. We know that there are cybersecurity dangers, and if the MoD and its contractors cannot ensure that we are safe and secure from data breaches, who can? Can the average citizen of the United Kingdom feel secure if the MoD is not able to deal with its own cybersecurity? Why can it not? To say that this is a contractor and therefore separate from the MoD’s HR supply is not necessarily adequate, either. Are the requirements for our prime contractors and subcontractors adequate?
A question asked in the other place, and which the noble Lord, Lord Coaker, has also touched on this afternoon, is: which other government departments are using Shared Services Connected Ltd and to what extent should we be concerned? My understanding is that the Home Office, the MoJ and possibly the Cabinet Office are also part of these contracts, but the Secretary of State did not appear to be able to answer the question in the other place. I hope, with the additional 24 hours, that the noble Lord, Lord Harlech, may be able to give us some answers to this question.
Point six of the eight-point plan says that His Majesty’s Government are now
“providing a commercial personal data protection service for all service personnel”.
Why is it a commercial personal data protection service? Would it not now be appropriate to learn the lessons of outsourcing and think about whether we should provide our own HR and payroll? Would it not be appropriate for His Majesty’s Government to rethink that and for personnel data to be ensured by His Majesty’s Government and not outsourced?
I have two final points to make in my last 33 seconds. Given the Border Force issues yesterday, do we suspect that the same malign actors who hacked the data impeded people entering our country? Are other malign actors damaging UK infrastructure? Is that a further security concern? My final point concerns the noble and gallant Lord, Lord Craig of Radley. During questions on the response of Israel and its iron dome a couple of weeks ago, he asked whether, if London were faced with a similar issue, we would be able to defend ourselves. Should we not be concerned that, if the MoD cannot defend its personnel against hackers and malign actors, maybe our country is not as secure as it should be?
My Lords, I thank the noble Lord, Lord Coaker, and the noble Baroness, Lady Smith of Newnham, for the points which they raise and for their ongoing support, and that of their Benches in this House, for the Armed Forces. Our people are our strongest asset and the department is committed to taking appropriate action to investigate this matter thoroughly, in terms of both the contractor and the malign actor, and to ensuring that this does not happen again.
Since yesterday, I can confirm that 100% of the backlog of travel and expenses claims held up by the data compromise have now been paid and I can give assurance, on the advice of departmental officials, that the May pay run will be unaffected. I can also confirm, further to the Statement, that public guidance for affected personnel is now live. This can be found on the GOV.UK website by searching for “pay network compromise”.
On the issue of the contractor, as the Defence Secretary confirmed in the other place, a full security review of the contractor’s operations is under way and appropriate steps will be taken if it is found to have been negligent or in dereliction of its duties under contract. This is being co-ordinated with cross-government partners as the contractor, as the noble Lord and the noble Baroness indicated, does not work solely for defence. The contractor, SSCL, holds 12 contracts across nine government departments. The incident in question, however, is isolated to defence and there is currently no evidence of any risk to any other government services provided by the company.
As the Defence Secretary stated yesterday on several occasions, it is true to say that a malign actor is involved and it is possible that it is attached to a country, or a group based in a country. But I would ask that we refrain from turning media speculation into fact before the investigation has had a chance to conclude its important work. The Ministry of Defence is not trying to avoid giving the House this information; we need to be certain before we are able to do so. The Defence Secretary committed in the other place to return when he has further information which can be disclosed, if it is in our country’s interests to do so.
On the subject of Border Force e-gates, my information is that this was a network system failure and not in any way connected to this data breach. The noble Baroness, Lady Smith, raised ongoing cybersecurity. As I hope the Statement and my follow-up remarks attest to, this is something we take incredibly seriously. On a personal level, cybersecurity threats involving bribery, fraud and corruption are all part of our ongoing soldier training, which has to be done individually and is renewed each year.
The noble Lord asked how many personnel may be affected. I am afraid I can add no further clarity, except to say that we believe that approximately 272,000 personnel may have been affected. Investigations continue to refine this number. We monitor all defence contracts and, as I say, this is an ongoing investigation. I would not want to say anything which could impede it in any way.
My Lords, perhaps I should start by saying that I may have an active interest as a five-star retired serving officer. Having said that, not much has been said so far about what precisely veterans, who will obviously read their newspapers and be concerned, should be concerned about. Is it possible to give any more indication of any risks that they may have to their bank accounts, or elsewhere, which are not protected by the normal arrangements made between an individual and his or her bank?
I thank the noble and gallant Lord for his question. The information that was compromised in this was names, bank details and, in some cases, addresses. We are working at speed, as part of the investigation, to ascertain exactly whose information and what information have been breached, and to contact them through all methods of communication that we have on file for them. It will not be the case that we use just one avenue; we will be doing everything we can to contact them in the most expedient way possible.
My Lords, following the declaration of interest from the noble and gallant Lord, Lord Craig, I fear that I should also declare an interest as a lowly two-star officer who has definitely been affected by this data breach—as indeed has the Minister, although he may not have said that.
I commend the Government’s response. I awoke this morning to a very comprehensive email in my MoD inbox explaining exactly what had happened and what I should do about it. I would, however, like to make one point following what the noble Baroness said. When I accessed the commercial data protection service, the first thing it asked me to do was to submit all my bank account details from my various bank accounts. The Minister will understand that I was slightly reluctant to do that in the circumstances.
My serious question is one that is very much doing the rounds among the Armed Services. If, while no data appears to have been harvested, subsequently data is harvested and we see money removed from bank accounts, where will the liability fall?
My noble friend—“General”, “Sir”—raised a number of very important points. He is, as always, ahead of me. In preparing for this Statement, I have not yet gone through my notifications to see what steps I should be taking next.
This is a very serious issue and that is why we have acted in the way we have. We take data responsibility extremely seriously. That is why, as soon as we became aware of the incident, we stopped the processing of all payments and isolated the network, enabling us to review what happened. As I said in the follow-up to the Statement, pay runs have been unaffected, including monthly salaries and larger payments. We understand that this is a distressing time for service personnel. I would like to reassure them and all noble Lords that we are dealing with this matter with the utmost seriousness and haste.
My Lords, I thank the noble Lord for repeating the Secretary of State’s Statement. In the remark he just made, he illustrated the real dangers presented to military personnel with the release of addresses into the hands of a hostile state—a malign actor, as we have been told—which undoubtedly will compromise the safety of military personnel, past and present. It also, of course, endangers national security and is of a piece with the espionage and other cybercrimes to which some of us, even here in Parliament, have been subjected.
Can the Minister tell us whether, in this instance, the private contractor entrusted with this data will be brought before the Intelligence and Security Committee to explain exactly what happened? This should not simply be subject to an internal review. How many other private contractors currently hold Ministry of Defence data? If and when this hack is attributed to the People’s Republic of China, as was briefed by the Government yesterday morning, will the state entities responsible be sanctioned and not merely individual hackers? Are we in touch with our Five Eyes allies to co-ordinate a comprehensive and effective response safeguarding our national interest and, in this instance, our service personnel?
The noble Lord raised a number of very important points. It is difficult to comment on them because of the ongoing investigation and the sensitivity around it. In respect of his request that the supplier is brought before the committee, that is certainly a reasonable suggestion that I will take back to the department.
My Lords, the MoD has in place, and regularly refreshes, robust resilience plans in case any of its systems are compromised or prejudiced by an adverse attack. Although this incident relates to systems operated by a primary contractor and not the MoD, I ask my noble friend whether primary contractors are required to observe the same high standards of preparedness as the MoD. Did this particular contractor comply with these requirements?
My noble friend raises a very good point. I do not know the vetting process they went through, so I will have to go back to the department, find out and write to her. My hope is very much that they are subject, as all suppliers and third-party contractors should be, to the highest standards of vetting.
My Lords, I do not know whether to declare an interest—I have a daughter in the reserves, who may or may not be affected —but I do want to declare that I am a very proud board member of the British Library, which suffered a severe cyberattack at the end of October last year. We are still, in the British Library, going through the forensics to discover how and why this happened and what has been affected. Building back takes time. We have found the support and guidance of the National Cyber Security Centre extremely helpful. Can my noble friend the Minister tell me whether the National Cyber Security Centre will be involved with the contractor to the MoD? Will there be some sort of overview, because today it is the MoD, in October it was the British Library, and other organisations have recently been subject to severe cyberattacks? What is the strategic overview and the learning that we can take from these incidents?
I thank my noble friend. I cannot comment on the specifics of the investigation and which authorities are being co-ordinated, but this is going to be an extremely thorough and robust investigation. The Government are absolutely alive to the threats posed by malign actors of all kinds, be they terror, criminal or state-sponsored. That is exactly why, given the deteriorating security environment, we have set out that increase in defence spending to 2.5% by 2030. I assure the House and my noble friend that the uplift in spending includes cyber defence, which is of critical importance.
My Lords, the Minister mentioned that a number of payments to the people affected have been delayed. When that happens, it can mean that those people affected themselves miss payments for credit cards, rent, mortgages et cetera, which can cause penalties to be accrued and can impact people’s credit ratings. What are the Government and the MoD doing to make sure that soldiers and others are put back into the position they should be in?
My Lords, I confirm again that all pay runs of large and small transactions are up to date. However, I totally take on board the noble Lord’s point that missed or late payments can incur fees. The last thing we want is our service personnel getting into further difficulty or distress because of this incident. We do not think that anyone will be affected by this, but—I say this categorically—if they do incur any additional costs or miscellaneous expenses as a result of any late payment, they should contact their chain of command with proof of this, and it will be dealt with on a case-by-case basis to recompense them.
My Lords, earlier this year a UK council reported that it was facing 10,000 cyberattacks per day. Unfortunately, such events are only going to increase across the board. What preventive measures will the Ministry of Defence take going forward to protect us from potential data theft in situations where other external contractors hold similar sensitive data?
Like those of many large organisations, MoD systems are targeted by malicious actors. That threat is only growing and is one that we are very alive to. The MoD monitors the latest information with regard to vulnerabilities and issues advice, guidance and direction. The MoD and suppliers organise patches to address any relevant vulnerabilities. We do not stop there: if we judge that there is a threat to the security and independence of the UK’s critical national infra- structure, we will act accordingly.
My Lords, the shock here is not that the attack was mounted—“spies are gonna spy”—but that it got as far as it did. It is worth checking the point first made by the noble Lord, Lord Coaker, about subcontractors being a particular point of vulnerability in the MoD. But my question is about the alliance. The United Kingdom is of course part of an alliance, and our allies will be following this data breach along with service personnel in the UK, so is the MoD keeping allies abreast of what has happened and the results of the investigation?
As the noble Lord will be aware, we are in constant and regular dialogue with our allies and partners on a range of matters.
My Lords, further to the question asked by the noble Lord on the Cross Benches about short-term losses if, for example, a pay run is delayed, what contingency do the Government have if there are any long-term losses as a result of bank accounts being frozen, or indeed anything more severe than that happening?
My noble friend raises an important point. We do not foresee this being an issue at this stage. However, the advice would be exactly the same for a sum small or large: it is to notify your chain of command immediately, and appropriate action will be taken on a case-by-case basis.