Asked by: John Healey (Labour - Wentworth and Dearne)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, how many (a) armed forces (i) personnel and (ii) families and (b) civil servants in his Department have been affected by personal data incidents related to Defence Children Services schools and settings in each year since 2010.
Answered by Andrew Murrison - Parliamentary Under-Secretary (Ministry of Defence)
The number of personal data incidents that have been correctly reported to the Army Warning Advice and Reporting Point (WARP) that have affected Defence Children Services schools and settings since 2010 and the number of affected individuals that have been affected by personal data incidents related to Defence Children Services schools and settings in each year since 2010 is as below:
Incidents | Affected Individuals | |
2010 | 0 | 0 |
2011 | 0 | 0 |
2012 | 0 | 0 |
2013 | 0 | 0 |
2014 | 0 | 0 |
2015 | 0 | 0 |
2016 | 1 | 61 |
2017 | 0 | 0 |
2018 | 0 | 0 |
2019 | 2 | 270 |
2020 | 1 | 1 |
2021 | 3 | 4184 |
2022 | 6 | 21 |
2023 | 9 | 459 |
2024 | 2 | 29 |
Totals | 24 | 5025 |
This data has been taken from Blackthorn Defence Incident Management Database (BT DIMDb) (which is directly fed by the Security Incident Reporting Forms (SIRFs) used across Defence) and the Army WARP Security Incident Database (SID).
It is not possible to split the affected individuals down into the categories stipulated in this question as that distinction is not made during reporting or investigation. It should also be noted that the number of people impacted is determined during the course of the investigation.
The 2021 figures include a major investigation into a cyber incident at a single school, which resulted in the potential compromise of 1110 internal (Ministry of Defence) email addresses and 3070 external (personal) email addresses.
Asked by: John Healey (Labour - Wentworth and Dearne)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, how many personal data incidents have affected Defence Children Services schools and settings since 2010.
Answered by Andrew Murrison - Parliamentary Under-Secretary (Ministry of Defence)
The number of personal data incidents that have been correctly reported to the Army Warning Advice and Reporting Point (WARP) that have affected Defence Children Services schools and settings since 2010 and the number of affected individuals that have been affected by personal data incidents related to Defence Children Services schools and settings in each year since 2010 is as below:
Incidents | Affected Individuals | |
2010 | 0 | 0 |
2011 | 0 | 0 |
2012 | 0 | 0 |
2013 | 0 | 0 |
2014 | 0 | 0 |
2015 | 0 | 0 |
2016 | 1 | 61 |
2017 | 0 | 0 |
2018 | 0 | 0 |
2019 | 2 | 270 |
2020 | 1 | 1 |
2021 | 3 | 4184 |
2022 | 6 | 21 |
2023 | 9 | 459 |
2024 | 2 | 29 |
Totals | 24 | 5025 |
This data has been taken from Blackthorn Defence Incident Management Database (BT DIMDb) (which is directly fed by the Security Incident Reporting Forms (SIRFs) used across Defence) and the Army WARP Security Incident Database (SID).
It is not possible to split the affected individuals down into the categories stipulated in this question as that distinction is not made during reporting or investigation. It should also be noted that the number of people impacted is determined during the course of the investigation.
The 2021 figures include a major investigation into a cyber incident at a single school, which resulted in the potential compromise of 1110 internal (Ministry of Defence) email addresses and 3070 external (personal) email addresses.
Asked by: Steve McCabe (Labour - Birmingham, Selly Oak)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, what steps his Department is taking to prevent veterans’ personal data from being breached by malign actors.
Answered by Andrew Murrison - Parliamentary Under-Secretary (Ministry of Defence)
The Ministry of Defence takes Cyber Security seriously including protecting personal data for all defence people including veterans.
Defence employs a Cyber Risk Management Framework that regularly reviews and escalates risk. This uses evidence from a variety of sources including as the Cabinet Office’s Gov Assure ‘Cyber Assessment Framework’ (CAF). All Defence Organisations sit within this framework.
Asked by: Stephen Morgan (Labour - Portsmouth South)
Question to the Home Office:
To ask the Secretary of State for the Home Department, what steps his Department is taking to tackle Russian covert activity.
Answered by Tom Tugendhat - Minister of State (Home Office) (Security)
Russia is a top national security priority for Government, and we have made huge strides to counter the threat posed by Putin’s regime and to increase our resilience to Russian malign activity. This includes repeatedly exposing the activities of the Russian Intelligence Services and Russia’s malicious cyber activity, expelling Russian intelligence officers, and sanctioning individuals responsible for hostile activity.
The Government actively deters and defends against the full spectrum of threats emanating from Russia, working in partnership with our allies. We recently announced the expulsion of the Russian Defence Attaché and are removing the diplomatic status from several Russian premises as part of a package to tighten defences against malign activity by Russia across the UK and Europe.
This is the toughest package of bilateral measures imposed on Russia since Salisbury and sits alongside the significant powers of the National Security Act 2023, which are already being used to keep us safe from state threats.
Alongside the US and Australia, we have also sanctioned a senior Russia-based leader of LockBit, once one of the world’s most pernicious cybercrime gangs.
Asked by: Lord Taylor of Warwick (Non-affiliated - Life peer)
Question to the Ministry of Defence:
To ask His Majesty's Government, following the recent cyber-attack targeting the personal details of UK military personnel, what steps they are taking, if any, to review their current data security protocols and cyber defence strategies.
Answered by Earl of Minto - Minister of State (Ministry of Defence)
The Cyber Resilience Strategy for Defence is already driving forward a programme of work to improve Defence’s cyber security. The Cyber Resilience Strategy was reviewed recently and remains valid. This includes adopting a Secure by Design approach to ensure security is built into our programmes from the outset and managed effectively on a through life basis.
With regards to the recent cyber incident specifically, the Ministry of Defence (MOD) has commissioned an independent review into what happened and lessons that can be learned. This will include examining Data and Information Security, the involvement with the contractor and the wider use of systems which process personal data. In addition the MOD are conducting a full review of the Information Security measures that were in place in this contract. Should the independent review suggest that further measures are necessary, the MOD will review these recommendations and implement such changes as are necessary to ensure the continued security of all MOD's data.
Asked by: Andrew Rosindell (Conservative - Romford)
Question to the Department for Education:
To ask the Secretary of State for Education, what steps her Department is taking to help tackle cyber attacks on schools.
Answered by Damian Hinds - Minister of State (Education)
Educational settings in England are responsible for maintaining their IT systems and Cyber Security. The department has a small, dedicated sector cyber security team to support this activity. This team provides appropriate guidance and advice, via regular targeted and broad communications, to help schools adhere to and maintain good cyber security standards. The department provides guidance for schools and colleges on how to help protect against a cyber incident. This guidance can be found on GOV.UK.
The department also works closely with the National Cyber Crime Security Centre (NCSC) and Joint Information Systems Committee (JISC) to ensure that up-to-date cyber security guidance is shared with schools, colleges and universities.
The department’s Risk Protection Arrangement (RPA) has more than 9,900 member schools, which represents 52% of eligible schools in England, and includes cover for cyber incidents as standard from the 2022/23 membership years. In the event of a cyber incident, RPA members have access to a 24/7 Incident Response Service.
The department’s dedicated sector cyber security function provides advice in response to cyber security enquiries and incident reports from the sector, liaising with the affected institution following an incident to advise on steps to mitigate the threat and provide guidance on recovery.
Asked by: John Healey (Labour - Wentworth and Dearne)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, what proportion of his Department’s civil servants have received information security training.
Answered by Andrew Murrison - Parliamentary Under-Secretary (Ministry of Defence)
Year | Number of Civilian Staff with a current Defence Information Management Passport (DIMP) Certificate (course includes Information Security) | |||
2019 (DIMP) | *Please note we have no records prior to Nov 2020 (prior information is held on our LRS that is being upgraded and we don’t currently have access to it). | |||
2020 (DIMP) | 30,130 | |||
2021 (DIMP) | 35,162 | |||
2022 (DIMP) | 38,858 | |||
2023 (DIMP) | 40,853 | |||
In 2022, the DIMP was split into 4 separate courses: | ||||
| Protecting Personal Data (released Apr 2022) | Records Management Awareness (released Aug 2022) | Information & Knowledge Awareness (release Feb 2023) | Cyber Security Awareness (released Aug 2023) |
2022 | 13,364 | 11,383 | N/A | N/A |
2023 | 21,173 | 22,121 | 19,362 | 2883 |
2024 (so far) | 24,691 | 24,379 | 23,574 | 8652 |
The table shows the percentage of Civilian staff (currently in date) in information security. Completion numbers from the Defence Learning Environment (DLE) versus the Civilian strength data from DBS:
Course | Civilian Completion numbers currently in date (from DLE) | Defence Civilian Staff Strength (from DBS as of 1 May 24) | Percentage complete |
Protecting Personal Data | 24,691 | 51,911 | 48% |
Records Management Awareness | 24,379 | 51,911 | 47% |
Information & Knowledge Awareness | 23,574 | 51,911 | 45% |
Cyber Security Awareness | 11,535 | 51,911 | 22% |
The figures for the DIMP completion are 79% of the civil service population, the lower numbers shown against the new suite of courses is reflective of the current transition period where some staff still hold valid, in date completion of the previous DIMP course. Individuals with in-date DIMP had up to 3 years currency before needing to take the replacement courses. All new starters to Defence were mandated to take the new courses immediately. As staff come to the end of their currency in DIMP and take the new mandated courses, the latest reporting numbers will increase.
Of the total 51,911 civilian staff, 79% have a current certificate in mandated DIMP training. All staff that work with Defence Information must take these mandated courses. The data related to the new awareness courses is not a true reflection of how many staff are in date as Defence are transitioning between mandated courses so the data for both needs to be considered holistically.
Asked by: John Healey (Labour - Wentworth and Dearne)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, how many civilian staff in his Department received information security training in each year since 2019.
Answered by Andrew Murrison - Parliamentary Under-Secretary (Ministry of Defence)
Year | Number of Civilian Staff with a current Defence Information Management Passport (DIMP) Certificate (course includes Information Security) | |||
2019 (DIMP) | *Please note we have no records prior to Nov 2020 (prior information is held on our LRS that is being upgraded and we don’t currently have access to it). | |||
2020 (DIMP) | 30,130 | |||
2021 (DIMP) | 35,162 | |||
2022 (DIMP) | 38,858 | |||
2023 (DIMP) | 40,853 | |||
In 2022, the DIMP was split into 4 separate courses: | ||||
| Protecting Personal Data (released Apr 2022) | Records Management Awareness (released Aug 2022) | Information & Knowledge Awareness (release Feb 2023) | Cyber Security Awareness (released Aug 2023) |
2022 | 13,364 | 11,383 | N/A | N/A |
2023 | 21,173 | 22,121 | 19,362 | 2883 |
2024 (so far) | 24,691 | 24,379 | 23,574 | 8652 |
The table shows the percentage of Civilian staff (currently in date) in information security. Completion numbers from the Defence Learning Environment (DLE) versus the Civilian strength data from DBS:
Course | Civilian Completion numbers currently in date (from DLE) | Defence Civilian Staff Strength (from DBS as of 1 May 24) | Percentage complete |
Protecting Personal Data | 24,691 | 51,911 | 48% |
Records Management Awareness | 24,379 | 51,911 | 47% |
Information & Knowledge Awareness | 23,574 | 51,911 | 45% |
Cyber Security Awareness | 11,535 | 51,911 | 22% |
The figures for the DIMP completion are 79% of the civil service population, the lower numbers shown against the new suite of courses is reflective of the current transition period where some staff still hold valid, in date completion of the previous DIMP course. Individuals with in-date DIMP had up to 3 years currency before needing to take the replacement courses. All new starters to Defence were mandated to take the new courses immediately. As staff come to the end of their currency in DIMP and take the new mandated courses, the latest reporting numbers will increase.
Of the total 51,911 civilian staff, 79% have a current certificate in mandated DIMP training. All staff that work with Defence Information must take these mandated courses. The data related to the new awareness courses is not a true reflection of how many staff are in date as Defence are transitioning between mandated courses so the data for both needs to be considered holistically.
Asked by: John Healey (Labour - Wentworth and Dearne)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, which external organisation his Department has commissioned to conduct an independent investigation into the armed forces payment data breach reported on 6 May 2024.
Answered by Andrew Murrison - Parliamentary Under-Secretary (Ministry of Defence)
The Ministry of Defence (MOD) has commissioned the independent investigation under an existing cyber incident response contract. The MOD is unable to disclose which external organisation has been commissioned at present for national security reasons.
Asked by: Lord Browne of Belmont (Democratic Unionist Party - Life peer)
Question to the Ministry of Defence:
To ask His Majesty's Government what measures are being taken to ensure that the UK's defence spending aligns with the current strategic threat landscape, particularly in the light of emerging hybrid and cyber warfare tactics observed in recent international conflicts.
Answered by Earl of Minto - Minister of State (Ministry of Defence)
Since the latest Defence Command Paper was published the security landscape has continued to deteriorate and hybrid threats persist. The volatile, complex and ambiguous security environment demands a fully integrated approach to deterrence and our defence - including across domains, across the spectrum of competition, across Government, and with allies and partners - exploiting all the levers of state power.
To support this, the Prime Minister has committed to defence spending reaching 2.5% of GDP in 2030. Defence is establishing a prioritisation process to work through future capability and investment choices which will conclude at the next Spending Review. In the immediate term, this increased investment will be focused in part on accelerating investment in new technology for defence and ensuring our Armed Forces are benefitting from the latest technologies.