← Back to House of Commons Debates
Defence Personnel Data Breach
07 May 2024
Lead MP
Grant Shapps
Debate Type
Ministerial Statement
Tags
DefenceEmploymentScience & TechnologyParliamentary Procedure
Other Contributors: 26
At a Glance
Grant Shapps raised concerns about defence personnel data breach in the House of Commons. A government minister responded. Other MPs also contributed.
How the Debate Unfolded
MPs spoke in turn to share their views and ask questions. Here's what each person said:
Government Statement
I would like to update the House on a data incident involving activity by a malign actor. The Ministry of Defence identified that an external system, operated by a contractor, was compromised. This system held personal data of regular and reserve personnel and some recently retired veterans, including names, bank details, and addresses in some cases. Immediate actions include taking the system offline, launching a full investigation with Cabinet Office support, alerting affected individuals through the chain of command, setting up a helpline, providing commercial personal data protection services, offering welfare and financial advice, ensuring all high-value payments remain unaffected, and reviewing personnel data networks to ensure security. The MOD confirmed no evidence that any data was removed but acknowledged potential failings by the contractor which may have facilitated the breach.
Kevan Jones
Lab
Durham
Question
The Minister referred to 'malign actors'. Does he know whether this malign actor is a hostile state or a criminal organisation, and if so which one?
Minister reply
For reasons of national security, we cannot release further details of the suspected cyber-activity behind the incident. However, I can confirm that there are indications it was the work of a malign actor, and we cannot rule out state involvement.
James Davies
Con
Westbury
Question
Can the Minister clarify whether this is the first time this contractor has experienced such an incident? Is the MOD reviewing all contracts with Sopra Steria to identify any potential security vulnerabilities?
Minister reply
On the exact number of other SSCL or parent company, Sopra Steria, contracts with the MOD and actions taken by other Government Departments with similar SSCL contracts, I am afraid I do not have that information today but will write to the hon. Gentleman.
Mike Penning
Con
Harlow
Question
Could this be a result of human error or could it actually be an inside job? Has there been any suggestion of state interference?
Minister reply
For reasons of national security, we cannot release further details of the suspected cyber-activity behind the incident. However, I can confirm to the House that we do have indications that this was the suspected work of a malign actor, and we cannot rule out state involvement.
John Healey
Lab
Rawmarsh and Conisbrough
Question
Expressed concern about the security breach affecting military personnel, questioning specifics of the breach timeline, contractor involvement, and overall impact on national security. Emphasised the need for thorough investigations and support measures for affected individuals.
Minister reply
Acknowledged concerns and provided details on the number of affected personnel (272,000), confirming a full review of SSCL's work within MOD and across Government is underway. Stressed the importance of ongoing cyber-security investments in defence.
Question
Asked about specialist support received from other parts of government for the investigation, and when the malign actor might be named.
Minister reply
Confirmed that a full review is being carried out by the Cabinet Office with specialists. Emphasised adherence to Butler reforms' process before naming state-sponsored actors.
Question
Pressed for more information on confidence in SSCL's ability to continue delivering MOD contracts, and suggested a review of the contract being brought back in-house.
Minister reply
Confirmed that a review is underway and if security issues are identified, other options including internal delivery will be considered.
Alicia Kearns
Con
Rutland and Stamford
Question
Highlighted the concern for Rutland's veterans and serving personnel community. Asked about measures being taken to address cross-Government consensus on China's hostile actions against UK institutions.
Minister reply
Acknowledged the seriousness of such acts but clarified that while a malign actor is involved, there is no concrete evidence linking it directly to state involvement at this stage.
Julian Lewis
Con
New Forest East
Question
Welcomes the establishment of a helpline and encourages proactive publishing of advice to secure bank accounts. Asks about checks the MOD conducts before outsourcing data on service personnel to external contractors, including verification of standards.
Minister reply
Acknowledges seriousness of the situation and confirms ongoing investigation into the contract's details. Emphasises concern over contractor's actions.
Neil Coyle
Lab
Bermondsey and Old Southwark
Question
Questions why Government did not act on Intelligence and Security Committee report warning about insufficient protection against cyber-attacks, including from China.
Minister reply
Confirms MOD successfully defends millions of daily attacks. Commits to increasing defence spending to 2.5% of GDP to address threats.
Chingford and Woodford Green
Question
Asks why Government did not disclose that the US warned UK about China hacking Electoral Commission system two years ago, affecting nearly 40 MPs without public mention.
Minister reply
Acknowledges need for attribution but refuses to jump to conclusions. Promises timely investigation.
Richard Foord
Lib Dem
Honiton and Sidmouth
Question
Suggests data breach may shame Government into addressing low pay for service personnel, noting Russia's higher soldier salaries.
Minister reply
Responds that 9.7% pay increase was given last year and commits to spending 2.5% of GDP on defence.
James Grey
not specified
Question
Concerned about cyber-security measures for subcontractors, noting current voluntary Cyber Essentials accreditation.
Minister reply
Committed to reviewing all contractors and subcontractors' security measures extensively.
Justin Madders
Lab
Ellesmere Port and Bromborough
Question
Asks for clarity on timescale for naming likely state actor behind breach, suggesting that China is probably responsible.
Minister reply
Commits to thorough review of all contractors and subcontractors if it can improve security. Will act based on findings.
Bob Seely
not specified
Question
Asks whether weak security with contractor implies non-state actor involvement, and likelihood of China being behind the breach.
Minister reply
Notes need for thorough investigation before attribution. Stresses seriousness of potential data theft.
Andrew Western
Lab
Stretford and Urmston
Question
Presses for serious measures against China, including diplomatic expulsions if confirmed as responsible.
Minister reply
Confirms MOD is investigating without jumping to conclusions. Emphasises consequences will follow if attribution confirmed.
Mark Francois
Con
Rayleigh and Wickford
Question
Well, at least it wasn’t Capita. This will be very worrying for service personnel and their families and for veterans, who will feel disrespected by the fact that the Government seem to have briefed that it was China overnight and then not had the nerve to confirm that in the House today because someone rang up from the Foreign Office and said, “Don’t do that.” When, oh when, will we start standing up to the Chinese in the way that they are clearly not frightened of doing to us?
Minister reply
Indeed, it was not my right hon. Friend’s favourite contractor on this particular occasion. None the less, we will be carrying out a comprehensive review of the contractor’s work... We most certainly did not wish to see nor brief out the story... My right hon. Friend is absolutely right about this.
Jim Shannon
DUP
Strangford
Question
I thank the Secretary of State for his statement and for his positive response in trying to assure our personnel. We saw this type of data breach with the Police Service of Northern Ireland, where information on officers and staff leaked, and the stress was palpable. What steps are the Secretary of State and Government taking to ensure that staff feel safe and protected, and that there is funding available for service personnel protection if necessary?
Minister reply
One big difference in this case is that it does not involve a member of armed forces personnel who did something wrong—this was done to them... The hon. Gentleman is absolutely right to focus... I hope personnel are reassured.
Bernard Jenkin
Con
Harwich and North Essex
Question
I thank the Secretary of State for coming to the House so speedily with a great deal about the action that is being taken. I am concerned both about the reluctance to name the malign actor and about the tendency for things to get lost in the Cabinet Office, which has become such a morass of activity... Who in the Cabinet Office is charged with this responsibility? Is it the National Security Adviser?
Minister reply
I stress again that it is not that I am reluctant to name the malign actor, but that we need more information before I can do so... My hon. Friend asks who in the Cabinet Office is charged with this responsibility, and I have spoken directly with the Deputy Prime Minister...
Question
As an affected veteran, I feel a responsibility for representing and championing my former colleagues in this matter... Will the Defence Secretary please assure me on three particular areas? First, will he assure me that an appropriate diplomatic protest has been made, or will be made, to the guilty party?
Minister reply
I thank my hon. and gallant Friend. He makes three excellent points, and I absolutely assure him that the guilty party will be brought to book... Members on both sides of the House have pushed this point hard...
Question
May I delve into how veterans are being reassured that their data is not being used by, for example, financial scammers? As a Royal Air Force veteran, I am the proud president of the RAF Association in Huddersfield, which I know will be very worried about this issue.
Minister reply
My hon. Friend will be pleased to hear that we have written to each of those organisations today... My hon. Friend’s specific question, a commercial organisation will now be monitoring the personal data of the individuals affected.
Question
Is there any indication of how the thief wanted to use the data, if they have actually got it? Have all the staff been advised to change accounts, passwords and internet access in every way, so that no further harm can occur?
Minister reply
In answer to the first point, no, there is no indication... On the second point, our regular approach—I speak as someone with an MOD account—is that passwords have to be changed regularly in order to continue to use the system...
Question
I welcome the Defence Secretary’s statement in qualifying the scale of the breach and the operational changes he is going to introduce. More strategically, it illustrates how the changing character of conflict is impacting our world... Will the Secretary of State consider the bigger picture...
Minister reply
It is certainly true to say that a malign actor is involved—we know that... My right hon. Friend’s wider point is absolutely correct.
Jesse Norman
Con
Hereford and South Herefordshire
Question
The Secretary of State has been clear about the serious nature of the breach; he has said that the contractor failed to follow MOD guidelines and therefore is culpable. What sanctions are in place to penalise that contractor? What sanctions will be applied if the contractor is found to be in breach? How many addresses have potentially been leaked?
Minister reply
The number of leaked addresses is very small. If negligence is involved, the strongest possible action will be taken. The Cabinet Office is being consulted for cross-Government checks.
David Mundell
Con
Dumfriesshire, Clydesdale and Tweeddale
Question
Is there cross-Government working to identify vulnerabilities in the system? A subcontractor’s involvement was identified as a vulnerable point. Are we seeking out these vulnerabilities across Government?
Minister reply
The Cabinet Office will undertake checks across Government departments to ensure data security and prevent similar breaches.
Question
Is there evidence of ransomware being used? What assessment has been made on whether any data was published? Will veterans whose addresses have been accessed be advised accordingly? Can the telephone helpline be used by anyone concerned about late payment of miscellaneous expenses? Is it time for a Cyber Re scheme?
Minister reply
There is no evidence of ransomware or data publication. A small number of addresses were accessed and affected individuals will be contacted if necessary. Late payments are unlikely to cause difficulties, but personnel can use the helpline for individual issues. The idea of Cyber Re may be considered by the Cabinet Office.
Shadow Comment
John Healey
Shadow Comment
There is deep concern in the House about this grave security breach. The shadow minister welcomed the statement and multipoint plan but expressed serious concerns over the MOD's data security record, which has seen a threefold increase in breaches in the past five years. He questioned the timeline of the incident, the extent of its impact on serving personnel and veterans, the actions taken by other Government Departments with similar contracts, and the potential state involvement behind the hack.
▸
Assessment & feedback
Summary accuracy
About House of Commons Debates
House of Commons debates take place in the main chamber of the House of Commons. These debates cover a wide range of topics including government policy, legislation, and current affairs. MPs from all parties can participate, question ministers, and hold the government accountable for its decisions.