Defence Personnel Data Breach Debate

Full Debate: Read Full Debate

Lord Coaker

Main Page: Lord Coaker (Labour - Life peer)

Defence Personnel Data Breach

Lord Coaker Excerpts
Wednesday 8th May 2024

(7 months, 1 week ago)

Lords Chamber
Read Full debate Read Hansard Text Watch Debate
Lord Coaker Portrait Lord Coaker (Lab)
- View Speech - Hansard - -

My Lords, I thank the Government for the opportunity to discuss this Statement again today and the noble Lord for repeating it. He will know that on these matters we are united with the Government. We cannot and must not stand for any such attacks. With the number and level of such threats increasing, we have to do all we can to make our country secure at home and strong abroad, so the news of this grave security and data breach is of real concern to us all. It is particularly alarming given that this is yet another example of an MoD data breach. It is particularly concerning as it involves our Armed Forces personnel past and present.

In the last five years, there has been a threefold increase in MoD data breaches, with 35 separate breaches reported to the Information Commissioner’s Office. Such threats—from state activity and other malign actors—are increasing across government, including attacks on prime contractors and subcontractors, as in this shocking case. Do they not present a soft underbelly to our national security?

Can the noble Lord explain when this breach took place? When did Ministers become aware of it? Reports say that these attacks took place weeks ago, but that Ministers were informed only days ago. Is that the case, or are the reports simply wrong? In these instances, who is responsible for alerting whom, how quickly, and when? Who monitors these contracts? Why did it take this appalling incident to alert officials, as the Defence Secretary said in the other place, to the potential failings of the company now named SSCL? What other potential problems are there? What other government departmental contracts are run by SSCL—or indeed by others—which could also be impacted by this breach? This itself would represent a very real threat to national security. Does any review being undertaken by the Government include all these other prime contracts and subcontracts, stretching across government?

The noble Lord and the Government say that this constraint is now offline, but I am unclear on some of the facts. Can the Minister confirm that all salaries and expenses will be paid by this Friday? Can he confirm how many service personnel, past and present, have been or may have been affected by this breach? In the other place, a figure of up to 272,000 was mentioned. How near to that figure will it be? The Government were unclear about that. What is the Government’s latest estimate of the number of Armed Forces personnel, past and present, who will be affected?

The Minister in the other place went to great lengths to say that a malign actor was responsible for the breach, but he would go no further. Why not? Can the noble Lord explain how it was briefed all over the media that sources believed it was China? Of course, evidence is needed to confirm that, but how did that occur? Has the noble Lord anything further to say about that? When will he be in a position to update us on the outcome of the Government’s own inquiries? Can he also explain how this data breach appeared in the media—presumably through a leak—meaning that Armed Forces personnel found out what had happened through the media, rather than in the proper way? How did all this happen?

This is exceptionally serious. In addition to reassuring our Armed Forces personnel, who, frankly, deserve better, our country, too, needs reassurance. The MoD, the guardian of the nation, is threatened, along with others, and its defences appear to have been breached. Time and again, we also see security undermined in other areas of government. We all hope that the eight- point plan will reassure our personnel, and their welfare must be our top priority. The Government have been warned time and again—not least by recent reports from the Intelligence and Security Committee, for example —about threats from China and others. Why have the Government not taken more urgent action? They need to adopt a more cross-cutting, far-reaching, urgent approach to cybersecurity. We all support the security of our country. We all want our country to be safe. Does this further example of a cyberattack not represent yet another wake-up call to the Government?

Baroness Smith of Newnham Portrait Baroness Smith of Newnham (LD)
- View Speech - Hansard - - - Excerpts

My Lords, I agree with the noble Lord, Lord Coaker, that His Majesty’s Government have many questions to answer. I thank the Minister for taking the hospital pass and repeating the Statement to the House this afternoon.

The wording of the Statement is interesting. The Ministry of Defence has identified indications that a malign actor gained access. Did it identify these indications only after the leak to the media, or was it aware of this and trying to deal with matters behind the scenes? It would be helpful to understand whether the MoD has a handle on the data breach.

As the noble Lord, Lord Coaker, has pointed out, there are questions about prime contractors and subcontractors, and the eight-point plan raises some concerns about what is being asked of government departments and our contractors. Point four states:

“specialist advice and guidance on data security has been shared”

and is available now on GOV.UK. This is part of the eight-point plan—after the horse has bolted. Why on earth was this advice not available before the data breach? It is not good enough for the Secretary of State to refer the other place back to his Lancaster House speech and remind us that the world is a “more dangerous” place. We know the world is a dangerous place. We know that there are cybersecurity dangers, and if the MoD and its contractors cannot ensure that we are safe and secure from data breaches, who can? Can the average citizen of the United Kingdom feel secure if the MoD is not able to deal with its own cybersecurity? Why can it not? To say that this is a contractor and therefore separate from the MoD’s HR supply is not necessarily adequate, either. Are the requirements for our prime contractors and subcontractors adequate?

A question asked in the other place, and which the noble Lord, Lord Coaker, has also touched on this afternoon, is: which other government departments are using Shared Services Connected Ltd and to what extent should we be concerned? My understanding is that the Home Office, the MoJ and possibly the Cabinet Office are also part of these contracts, but the Secretary of State did not appear to be able to answer the question in the other place. I hope, with the additional 24 hours, that the noble Lord, Lord Harlech, may be able to give us some answers to this question.

Point six of the eight-point plan says that His Majesty’s Government are now

“providing a commercial personal data protection service for all service personnel”.

Why is it a commercial personal data protection service? Would it not now be appropriate to learn the lessons of outsourcing and think about whether we should provide our own HR and payroll? Would it not be appropriate for His Majesty’s Government to rethink that and for personnel data to be ensured by His Majesty’s Government and not outsourced?

I have two final points to make in my last 33 seconds. Given the Border Force issues yesterday, do we suspect that the same malign actors who hacked the data impeded people entering our country? Are other malign actors damaging UK infrastructure? Is that a further security concern? My final point concerns the noble and gallant Lord, Lord Craig of Radley. During questions on the response of Israel and its iron dome a couple of weeks ago, he asked whether, if London were faced with a similar issue, we would be able to defend ourselves. Should we not be concerned that, if the MoD cannot defend its personnel against hackers and malign actors, maybe our country is not as secure as it should be?