The Secretary of State for Defence (Grant Shapps)
I would like to update the House on a data incident involving activity by a malign actor. In recent days, the Ministry of Defence has identified indications that a malign actor gained access to part of the armed forces payment network. That is an external system, completely separate from the Ministry of Defence’s core network, and it is not connected to the main military human resources system. The House will wish to note that it is operated by a contractor, and there is evidence of potential failings by it, which may have made it easier for the malign actor to gain entry. A specialist security review of the contractor and its operations is under way, and appropriate steps will be taken.
The contractor-operated system in question holds personal data of regular and reserve personnel and some recently retired veterans. That includes names and bank details, and—in a smaller number of cases—addresses. In response to the incident, we have undertaken significant and immediate action, enacting a multi-point response plan to support and protect our people. I would like to provide the House with details of this eight-point plan.
First, we immediately took the system offline. That has secured it against similar future threats. Secondly, we have launched a full investigation, drawing on Cabinet Office support and specialist external expertise to examine the potential failings of the contractor and to minimise the risk of similar incidents.
Thirdly, while our initial investigations have found no evidence that any data has been removed, as a precaution we have today alerted those service personnel affected through the chain of command. In addition, we are also sending out letters to a small number of veterans who have retired and who may have been affected as an additional precaution. The House will wish to note that the vast majority of the UK veterans community is, however, unaffected.
Fourthly, specialist advice and guidance on data security has been shared and will be available on gov.uk later today. Fifthly, we have additionally set up a helpline to support individuals. The number for the helpline is 01249 596665, and it will be available from today.
Sixthly, we are providing a commercial personal data protection service for all service personnel. That facility will constantly monitor each individual’s personal data and notify them if there are any irregularities. Even though we do not believe that their information has been stolen, we intend to do that in order to bring further peace of mind.
Seventhly, welfare and financial advice is available where needed through each individual’s chains of command.
Eighthly, on becoming aware of the incident, the MOD stopped the processing of all payments and isolated the system. I want to provide further detail on that step. We are making changes to the system to ensure that it is secure before recommencing payments through it. I confirm, though, that, in the meantime, all April salaries have been paid. Some service personnel will have experienced a slight delay in receiving some expense payments; however, we expect that to be fully resolved today, with the money in their accounts by Friday.
Furthermore, I confirm that we are ensuring that all high-value payments remain unaffected. For example, all outstanding Forces Help to Buy and terminal benefits payments have been facilitated by alternative secure transfer. As mentioned, salary payments and pensions for veterans have not been affected, and we do not expect them to be.
For reasons of national security, we cannot release further details of the suspected cyber-activity behind the incident. However, I can confirm to the House that we do have indications that this was the suspected work of a malign actor, and we cannot rule out state involvement. The incident is further proof that the UK is facing rising and evolving threats. As I set out in my speech at Lancaster House in January, the world is, I am afraid, becoming somewhat more dangerous. Last month, the Government therefore announced an increase in defence spending to meet those new threats, reaching 2.5% of GDP by the end of the decade.
Following this incident, I can announce today that although this incident is entirely unrelated to our own MOD networks, we are also reviewing all personnel data networks to ensure that our people’s data is secure. This was the work of a malign actor who compromised a contractor-run network entirely separate from the MOD core system. However, as I have said, we cannot at this stage rule out state involvement from elsewhere. This eight-point plan outlines the immediate and significant action we are taking to protect our most precious resource: our people. Even though this occurred on a contractor’s system, with a malign actor involved—and we cannot rule out foreign state involvement—I want to apologise to the men and women affected. It should not have happened, and this eight-point plan seeks to ensure that it is put right and cannot happen again. I commend the statement to the House.
John Healey (Wentworth and Dearne) (Lab)
There is deep concern in the House about this grave security breach. The House will accept and note the Defence Secretary’s apology to armed forces personnel. We welcome the statement and the multipoint plan, and I thank him for early sight of it.
There will indeed be serious concern in the MOD that news of this big data breach was splashed across the media before the Defence Secretary could set out the facts to Parliament. My overriding concern is for the safety of serving personnel and veterans affected, worried about the risk to themselves and their families and hearing first about the data being hacked from the media and not from the MOD. Our military put their own security at risk when they serve on the frontline, and the very last thing they should have to worry about is their data security back home. Any such hostile action against our forces is utterly unacceptable, and their protection must be the first-order priority for the Defence Secretary, whether on operations abroad or for their data at home.
Despite the Defence Secretary’s statement, he still has many serious questions to answer. On the breach itself, who held the data that was hacked? When was it discovered? When were Ministers told? How was it leaked to the press? On the contractor, Defence Business Services says that Shared Services Connected Ltd has the MOD contract for core payroll and other business services. How many contracts does SSCL or its parent company, Sopra Steria, have with the MOD? What action has been taken by other Government Departments with similar SSCL contracts? On forces personnel, how many serving personnel and veterans have been hit by the hack? Has every serving full-timer and reservist been affected? What support is being offered?
On last night’s media reports, has a leak inquiry been launched? The MOD’s data security record is getting worse while threats against the UK continue to rise. There has been a threefold increase in MOD data breaches in the last five years, with 35 separate MOD breaches reported to the Information Commissioner’s Office and a £350,000 fine last December. Sub-contractors are well known to be the soft underbelly of security, and this latest hack raises serious questions about how the MOD manages its outsourced services.
The media have clearly been briefed that China is behind the hack, but the Defence Secretary tells us only about a “malign actor”. The Government rightly have a rigorous system before official accusations or attributions are made, but if this data breach is found to have been carried out by a hostile state, it would represent a very serious threat to our national security.
The Government have been warned. The Intelligence and Security Committee confirmed in its China report last year that cyber-attacks by hostile states now happen daily, and now our wider armed forces community are being targeted. However, the Committee also found there was no cross-Government China strategy, “completely inadequate” resourcing, and defence intelligence with no systematic record of resources focused on China.
The Defence Secretary knows that we are united in this House. We will not stand for any such attacks and, with threats increasing, such flaws in our cyber-security must be fixed. Only then will we make Britain secure at home and strong abroad.
Grant Shapps
I thank the right hon. Gentleman for his words about the united way in which this House tackles such issues, and there is much of what he says that I can agree with. He asked a number of questions and I will try to rattle off some responses to him.
The chosen date to announce this breach was today, to ensure that we would be able to secure the systems, back up and make sure everyone had their payments made, even if it was not through those systems. The media release last night was coincidental and unwelcome, as far as we were concerned, but unfortunately a lot of people are involved in this. He asked how many personnel had been affected, and the number is 272,000. I stress that that means it is up to that number; the number is still being refined and will probably end up lower, but none the less it is a large number of people and they may have noticed that bank payments were not made, so some of the media will have picked up on that.
The right hon. Gentleman is right to say that the welfare of our personnel is our absolute first priority. I hope that he will agree that the eight-point plan focuses heavily on that and consists of ensuring that they are getting every bit of help and support required. Although we do not think the data is necessarily stolen, we are making the assumption that it has been in order to ensure that personnel get the support required, including through their own data monitoring services, which we are providing to each and every one of them, whether or not they are affected in this particular case.
The right hon. Gentleman has named the contractor involved, and I can confirm that that is the correct name, SSCL. As I mentioned in my statement, we have not only ordered a full review of its work within the MOD, but gone further and requested from the Cabinet Office a full review of its work across Government, and that is under way. I also briefly mentioned specialists being brought in to carry out a forensic investigation of the way this breach has operated.
Data breaches and this level of attack are nothing new, but the right hon. Gentleman is right to point out, and the House will be aware, that these attacks are growing, to the extent that the MOD’s networks are under attack millions of times per day, and they successfully repel those attacks millions of times per day. I stress again, particularly for servicemen and women listening, that this breach does not contain data that is on main MOD systems, and which is of even greater concern to us. It is right that we invest in protecting the systems to ensure that these data attacks are repelled and are not successful.
I would gently say to the right hon. Gentleman, as I think he might expect me to, that one of the best ways to do that is to invest in defence. That is why we are committed to a 2.5% increase, with a fixed timeline and a plan to pay for it, because it means we will be able to do more things, including investing further in cyber-security.
Sir Jeremy Quin (Horsham) (Con)
SSCL was a joint venture with the Cabinet Office—I think there was a legacy minority stake held until last year. As is public, it also provides services to, from memory, the Metropolitan police, the Home Office and the Ministry of Justice. I welcome the Secretary of State’s remark that the investigation will be across Government, because absolutely all areas of Government that are exposed need to be doing the necessary. What specialist support is he receiving from elsewhere in Government, and when might the malign actor be named?
Grant Shapps
As my right hon. Friend will know, the process of getting towards naming—if, indeed, a state-sponsored actor is involved—is a specific process set out by the Butler reforms, and it does take some time to reach such conclusions.
My right hon. Friend asked specifically about the ongoing work with the particular contractor. The Cabinet Office is calling in specialist analysts who will carry out that work over the coming weeks. There are two separate tracks in respect of the contractor in the MOD but also, separately, in the different places across Government that my right hon. Friend rightly identified. I stress to the House—because I suspect that this will be brought up a number of times—that we expect very high standards from our contractors that work with the lives and livelihoods of our service personnel, so we will take all appropriate actions.
Martin Docherty-Hughes (West Dunbartonshire) (SNP)
I thank the Secretary of State for advance notice of the statement. There was not really much to disagree with in the questions from the shadow Defence Secretary, but I will perhaps ask for a little bit extra. On what the Secretary of State said in relation to there being a malign actor, I am sure that the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith), who has been bobbing, will not miss the wall when he asks the Secretary of State a question.
There is a bit of concern about the contractor, because it has previous when it comes to delivering Government contracts. Notably, there was a scandal over NHS business services and the running of immigration application systems. Given the seriousness of this issue for the Ministry of Defence, will the Secretary of State advise the House on whether he has confidence that the contractor is able to continue to deliver the contract? Will he consider a review of the specific armed forces payment network element and whether the contract should be brought back in-house and delivered by the MoD, rather than by some conglomerate based in Paris?
Grant Shapps
I can confirm that that review is already under way, and I can go further by saying that I am deeply interested in how this contractor, or indeed any other, behaves. I cannot jump straight to the conclusion of that research, and I do not think the hon. Gentleman would expect me to jump straight to the conclusion of a security review. To answer his question in a more straightforward way, if it were found that there is a better way to do this and we could not be satisfied on security, we would of course consider other options, such as those he suggested.
Alicia Kearns (Rutland and Melton) (Con)
With one in five residents of Rutland being veterans or serving personnel, this news will be very concerning to our communities. In the last six weeks it has been concluded that the Chinese Communist party has been responsible for hacking our armed forces, for conducting a cyber-attack on the Electoral Commission and for cyber-attacks on French and British MPs; a German aide was arrested on espionage charges; and two British men were charged with obtaining information useful to an enemy. Attacking our institutions and the people who defend or represent our people is not the act of an ally or a friend, and the British police have explicitly deemed it the action of an enemy. So what is my right hon. Friend doing to make sure that we finally get a cross-Government consensus and get the Foreign Office to change our position on this matter? These are not the acts of a friend or ally; these are the actions of a country that considers itself anathema to our values, our activities and those who defend our interests.
Grant Shapps
My hon. Friend knows that we take the view that it is absolutely wrong for Members of Parliament to be in any way sanctioned by other countries—I know that she has been sanctioned; I have been sanctioned in other areas, although not by that particular country—and she is right to point out those cases that have been proven, including when the Deputy Prime Minister stood at the Dispatch Box recently and talked about electoral data. However, it is not the case in this circumstance—I do not want to mislead the House—that there is a proven connection. I stress that although we can see that a malign actor is involved, we have yet to make the full connection to a state. Although, as I pointed out in my statement, I cannot rule out that that might be the conclusion, but we have no evidence to conclude that yet.
Derek Twigg (Halton) (Lab)
When did the MOD last carry out an audit or review of the security precautions put in place to stop a cyber-attack with this contractor, if it did at all?
Grant Shapps
I can tell the House that, specifically for the MOD estate, we do that all the time—every day. With regard to this particular contract, I am aware that we have been in contact with the contractor about its cyber-security arrangements. For the purposes of national security, I cannot go into detail in the House, but I can perhaps provide the hon. Gentleman with a little further context separately, if that is helpful.
Sir Julian Lewis (New Forest East) (Con)
I welcome the fact that the helpline has been established so quickly, and I encourage the Government to be proactive in publishing advice on what people can do, for example to secure their bank accounts. What specialist advice does the MOD routinely seek before outsourcing data on service personnel to external contractors, and what standards must be verified before such outsourcing to a civilian organisation is allowed to take place?
Grant Shapps
It is obviously completely unacceptable for a contractor to leave our brave servicemen and women in this position, so we take it incredibly seriously and are very concerned by what has happened. My right hon. Friend asks about the checks that are in place. Of course, this contract long predates current Ministers, but we are checking through the details at considerable speed. As Members can imagine, we think the contractor has many questions to answer, and the ones that he asks will be included in them.
Neil Coyle (Bermondsey and Old Southwark) (Lab)
The Intelligence and Security Committee reported last year that the Government were not protecting the UK sufficiently against cyber-attacks, including from China and particularly against our armed forces. The Secretary of State says today that he is sorry, but why did he fail to listen?
Grant Shapps
As I mentioned a few moments ago, the MOD successfully defends against millions and millions of attacks each day. The threat is very real—we have that in common with all critical national infrastructure, other Departments and many businesses. That is one reason why the Government have committed to increasing defence spending to 2.5% of our GDP, with a timeline attached, so we will have more money to spend on defending against those attacks. It is one thing to wish for that defence but another to act, which is what we have done.
Sir Iain Duncan Smith (Chingford and Woodford Green) (Con)
I welcome my right hon. Friend to the Dispatch Box. We know now that the British Government were warned by the American security services nearly two years ago that the Electoral Commission’s system had been hacked and that a number of MPs had been hacked. In the two-year period since, the Government have said nothing about China’s role—it was China, and they were warned at the time. In fact, we now know that far more MPs than we thought—nearly 40—were hacked, which was never reported at the time. I am concerned that the Government refuse to say who is responsible in this case, and that it may be another two years before we discover it or it is said publicly.
May I ask my right hon. Friend a very simple question? The FBI director has said that China has a cyber-espionage capacity so vast that it dwarfs everybody else’s, and we now know the record of all the direct attacks on us in the House, as the Chair of the Foreign Affairs Committee, my hon. Friend the Member for Rutland and Melton (Alicia Kearns), said. Given that the Deputy Prime Minister said in 2023 that the Government were considering placing the People’s Republic of China into the enhanced tier of the foreign influence registration scheme, why in heaven’s name do we not now place this malign actor in that tier and deal with it accordingly?
Grant Shapps
I welcome my right hon. Friend’s comments about attribution. MPs and the electoral register have been hacked, and he therefore encourages me to jump to the conclusion at the Dispatch Box that the malign actor is China in this case as well. I am simply unable to do that at this stage. He would expect me to follow due process, but I rather support his view that if attribution is required, it should happen in a timely and speedy manner. I undertake from the Dispatch Box to ensure that that happens in this case, and that we do not have many months or years pass by without it being mentioned.
Richard Foord (Tiverton and Honiton) (LD)
The malign actor did not need to access the armed forces payment network to find out the salary of a British private soldier. A quick search of Google—or indeed Baidu—reveals that the salary of a British soldier on completion of initial training is less than £24,000 a year, which is less than the average UK salary of £35,000 a year. Russia is currently paying its soldiers a starting salary of more than 2.5 million roubles for fighting in Ukraine. Will the data breach by the Conservative Government’s contractor shame the UK Government into paying some of our lowest-paid servicepeople a decent salary?
Grant Shapps
That was creative, if nothing else. The fact that we paid a nearly 10% pay increase—9.7% last year—to many ranks of our armed forces, and that the Conservative party has committed to spending 2.5% of GDP, which is a pledge I have not heard repeated by the Opposition, rather suggests that we are prepared to do something about pay and retention.
James Gray (North Wiltshire) (Con)
I very much welcome the great seriousness with which the Secretary of State is taking this appalling data breach, because it really has been awful. I too am convinced that the prime contractors have very significant cyber-security requirements, so it is extremely unlikely that a prime contractor would be hacked in this way. My understanding is that subcontractors and sub-subcontractors down the food chain do not have the same level of cyber-control. We have something called the Cyber Essentials accreditation, but even that is not compulsory. Will the Secretary of State look at the way subcontractors and sub-subcontractors are checked for cyber-security and make that accreditation compulsory rather than voluntary?
Grant Shapps
The concerning thing about this particular incident is that SSCL is a primary contractor, rather than a subcontractor, but my hon. Friend is absolutely right to raise the wider issue. The answer is yes: our intention—indeed, our instruction—is to go right the way through. As I said in my initial comments, we take this incredibly seriously. It is unacceptable that it happened, and we will take every possible measure, once we have got to the forensic truth of what happened, including against the contractor and any subcontractors.
Justin Madders (Ellesmere Port and Neston) (Lab)
I understand why the Secretary of State is reluctant to name China, but it seems that every Member in this Chamber believes it is probably responsible for the breach; that is certainly what the media are reporting. I hope the Secretary of State is able to commit to a very clear timescale for coming back with some clarity on that.
I want to ask the Secretary of State about a point that has been made by a number of Members. The outsourced contractors are clearly the weak spot in our system. Will he commit to examining and analysing every single subcontractor, with a view to bringing them back in house in the light of the threats we face?
Grant Shapps
The MOD, as is the case with most militaries, uses a lot of contractors and subcontractors. Let me answer the hon. Gentleman’s question directly: yes, the review will encompass all that work, and if we believe we can do this better—many Members may conclude that this would not have happened had that data been held in the MOD and on our own systems—we will endeavour to do that.
Bob Seely (Isle of Wight) (Con)
First, I thank the Minister for his call this morning. It is a little frustrating to be told that one’s bank details and national insurance number are winging their way to Beijing or wherever they have gone. Given that I was also caught up in the Inter-Parliamentary Alliance on China breach, I wonder whether I am in the running to be the most hacked MP in Britain.
If it was weak security with the contractor, does that mean it was not a state actor? If the contractor had a high level of security, do we assume it is more likely that a state actor was behind the breach? If there was a state actor behind it, do we assume that it is China, because it has form on stealing mass data and has done so from the US federal Government?
Grant Shapps
I thank my hon. Friend for his service, and I am sorry that he had to receive that phone call about what has happened. I stress that we do not believe the data has necessarily been stolen—there is a danger of running a couple of steps ahead. We have responded with the eight-point plan as if it has been stolen, because we think that is the best position to put everybody in, including my hon. Friend, given the seriousness of the potential breach. I will struggle to answer the detail of the rest of his questions for national security reasons that I hope he will understand. Once again, I undertake that the next stage of this, which is a process set out in the Butler reforms, will be carried out quickly and efficiently.
Andrew Western (Stretford and Urmston) (Lab)
We know that the Government consider it likely that China is responsible for this hack, coming hot on the heels of the revelation that it was responsible for the hack on the Electoral Commission, as was confirmed in March. If it transpires that China is again responsible, will the Government finally stop talking tough on China and labelling it an “epoch-defining challenge”, and start acting accordingly by taking serious measures up to and including diplomatic expulsions?
Grant Shapps
I have outlined the Government’s position on this a couple of times, but I do want to note that the hon. Gentleman says “consider it likely”; I am saying that I cannot rule it out. Those are two different things. We need to allow for this forensic work to go ahead before we start attributing it. However, if there is attribution, there will clearly also be consequences.
Mr Mark Francois (Rayleigh and Wickford) (Con)
Well, at least it wasn’t Capita. This will be very worrying for service personnel and their families and for veterans, who will feel disrespected by the fact that the Government seem to have briefed that it was China overnight and then not had the nerve to confirm that in the House today because someone rang up from the Foreign Office and said, “Don’t do that.” When, oh when, will we start standing up to the Chinese in the way that they are clearly not frightened of doing to us?
Grant Shapps
Indeed, it was not my right hon. Friend’s favourite contractor on this particular occasion. None the less, we will be carrying out a comprehensive review of the contractor’s work. Again, I want to make it clear to the House that we did absolutely everything that we could to avoid this being made public until I had the opportunity to come to the House. We proactively endeavoured to ensure that our own approach towards removing the data that was online—closing that system down, ensuring the personnel were paid, making sure the alternative payments system was in place for expenses and other things—could all happen ideally before we came to the House. We most certainly did not wish to see nor brief out the story. Unfortunately, as a large number of people were impacted or potentially impacted, it was almost impossible to expect them not to go and talk about it, and I believe that that is how it came into the public domain.
My right hon. Friend is absolutely right about this. He is a champion for ensuring that these contractors do the jobs they are actually paid to do. We are now trawling through all the detail and, as I have said before, we will not leave this hanging. We will take every appropriate action because, as he might imagine, my entire team and I are very concerned about the welfare of our personnel—brave men and women who do not deserve to have this happen to them. We do not want to see it happen in the name of the MOD, either.
Jim Shannon (Strangford) (DUP)
I thank the Secretary of State for his statement and for his positive response in trying to assure our personnel. We saw this type of data breach with the Police Service of Northern Ireland, where information on officers and staff leaked, and the stress was palpable. What steps are the Secretary of State and Government taking to ensure that staff feel safe and protected, and that there is funding available for service personnel protection if necessary?
Grant Shapps
One big difference in this case is that it does not involve a member of armed forces personnel who did something wrong—this was done to them. It is not a case of someone opening an attachment or something of that nature. This is something that has happened through the system that the contractor ran. The hon. Gentleman is absolutely right to focus, as I hope I have today and as has the whole House, on the personnel and what it means to them, and in particular on reassuring them. I am grateful for the attitude and approach of the House, which I think will have largely done that for service personnel.
I will not reiterate each of the eight points. However, through the chain of command, the phone number that is now available, the information going on gov.uk and the wraparound services, including the fraud-checking service that staff will now individually have access to and many others, I hope personnel are reassured. Remember that we do not think the data has necessarily been stolen, but we are behaving as if it has in order to provide absolute security.
Sir Bernard Jenkin (Harwich and North Essex) (Con)
I thank the Secretary of State for coming to the House so speedily with a great deal about the action that is being taken. I am concerned both about the reluctance to name the malign actor and about the tendency for things to get lost in the Cabinet Office, which has become such a morass of activity.
Who in the Cabinet Office is charged with this responsibility? Is it the National Security Adviser? Which Cabinet committee is overseeing this? Is it the National Security Council itself? I hope so. Which Deputy Chief of the Defence Staff is responsible for cyber-security? Who will be responsible for making sure that all these elements are working together to conduct this review very thoroughly? I suggest that the Secretary of State brings forward a White Paper very shortly on the lessons learned from this incident and others, to provide the reassurance that not least our service personnel need.
Grant Shapps
I stress again that it is not that I am reluctant to name the malign actor, but that we need more information before I can do so. We are not trying to avoid giving the House this information; we need to be certain before we are able to do so.
My hon. Friend asks who in the Cabinet Office is charged with this responsibility, and I have spoken directly with the Deputy Prime Minister to make sure it is set from the very highest levels. My hon. Friend also asks who has overall responsibility, and it is the excellent Chief of Defence People, Phil Hally, who is very good. He has now chaired, I think, 11 internal meetings on this issue, in order to get everything ready for this afternoon. As I have said, it is with deep regret that we did not quite make it to today before the news started to break late last night. Phil Hally is responsible and will continue to be responsible for those efforts.
James Sunderland (Bracknell) (Con)
As an affected veteran, I feel a responsibility for representing and championing my former colleagues in this matter. Will the Defence Secretary please assure me on three particular areas? First, will he assure me that an appropriate diplomatic protest has been made, or will be made, to the guilty party? Secondly, will assurance be given to the House in due course that the firewall protocols given to defence contractors will match or exceed those given to the MOD itself? Thirdly, will he assure me that the information that has been hacked, if indeed it has been hacked, will be sacrosanct so that no malign actor can gain access to bank accounts after this event?
Grant Shapps
I thank my hon. and gallant Friend. He makes three excellent points, and I absolutely assure him that the guilty party will be brought to book. I also assure him that the MOD was not responsible for failing to issue correct instructions, in terms of the contractual requirement to keep this data safe.
Members on both sides of the House have pushed this point hard, and I will make sure that it is not buried or lost in process. I will return to this House. I cannot promise to do that in the next few days, as the Butler process takes a while, but I will not allow it to drop. The House has my undertaking on that issue.
Jason McCartney (Colne Valley) (Con)
May I delve into how veterans are being reassured that their data is not being used by, for example, financial scammers? As a Royal Air Force veteran, I am the proud president of the RAF Association in Huddersfield, which I know will be very worried about this issue. Will the Secretary of State be using forces charities such as the Royal Air Forces Association, the Royal British Legion, the RAF Benevolent Fund, SSAFA and many more to reassure veterans that their data will not be used by financial scammers?
Grant Shapps
My hon. Friend will be pleased to hear that we have written to each of those organisations today, both to enlist their support and to provide the detail and information to which the House has been privy this afternoon.
In answer to my hon. Friend’s specific question, a commercial organisation will now be monitoring the personal data of the individuals affected. That would include, for example, the data being used in a suspicious way, appearing on the dark web, or any other outcome. In a way, an additional layer of security will be attached to these individuals. Again, I can confirm that, as of this moment, we have seen no suspicious activity at all on those accounts.
Sir John Redwood (Wokingham) (Con)
Is there any indication of how the thief wanted to use the data, if they have actually got it? Have all the staff been advised to change accounts, passwords and internet access in every way, so that no further harm can occur?
Grant Shapps
In answer to the first point, no, there is no indication. On the second point, our regular approach—I speak as someone with an MOD account—is that passwords have to be changed regularly in order to continue to use the system, so those security measures are in place. People do not need to change their bank accounts as a result of this incident. Apart from anything else, using someone’s bank details to make a payment somewhere else would be technically difficult, as a new account would need two-factor authentication, so it is not necessary for people to change their accounts. The monitoring service will provide an overlay of additional reassurance to them.
Mr Tobias Ellwood (Bournemouth East) (Con)
I welcome the Defence Secretary’s statement in qualifying the scale of the breach and the operational changes he is going to introduce. More strategically, it illustrates how the changing character of conflict is impacting our world, with the digital terrain being as important as the physical terrain. That said, had this been a physical, kinetic attack on MOD main building, the House would be demanding some form of proportionate response. Indeed, it could be argued that it would be a NATO article 5 situation. Will the Secretary of State consider the bigger picture, because the rules of engagement and the Geneva conventions are out of date? The Secretary of State is right to say that threats are rising and evolving, but we need to address how errant nations are held to account and what constitutes a proportionate response to a cyber-attack.
Grant Shapps
It is certainly true to say that a malign actor is involved—we know that. It is possible, and I cannot rule it out, that it is attached to a country, but as soon as I say that everyone assumes it therefore is attached to a country. I am not in a position to confirm that at this point, simply because incredibly detailed forensic work is required to get to that point. My right hon. Friend is right that people differentiate, in some senses, between physical attacks and cyber-attacks, but both can be incredibly serious and have enormous consequences. Again, because we do not believe that the information has, in fact, been stolen and because we are monitoring it very carefully through the eight different measures, I stress that in this case there is a degree of feeling that we have caught it and we are controlling it. However, my right hon. Friend’s wider point is absolutely correct.
Jesse Norman (Hereford and South Herefordshire) (Con)
The Secretary of State has been clear about the serious nature of the breach; he has said so several times from the Dispatch Box. He has also said that the contractor failed to follow MOD guidelines and therefore is culpable, to some degree, as far as we can see so far. What sanctions are in place to penalise that contractor? What sanctions will the Secretary of State apply at the limit if that contractor is found to be in breach? Finally, he mentioned addresses. Roughly how many addresses have potentially been leaked? I am deeply concerned not just about bank details but about the safety and wellbeing of those soldiers.
Grant Shapps
I share my right hon. Friend’s concern about the safety and wellbeing of those soldiers. Thankfully, the answer is that very few addresses have been leaked—a very tiny number. On sanctions and what will happen, we must not jump the order of events. We have to be confident we are able to run through the audit trail of exactly what has happened. However, I again make it clear from the Dispatch Box that if negligence has been involved, then we will take the strongest possible action as a result. He and the whole House understand that that is our concern this afternoon.
David Mundell (Dumfriesshire, Clydesdale and Tweeddale) (Con)
May I seek my right hon. Friend’s reassurance that there is cross-Government working to identify the vulnerabilities in the system? We have heard this afternoon that a subcontractor’s involvement was identified as a vulnerable point. Recently, my constituents had their medical records hacked because, as a small, rural authority, it was identified as more vulnerable. Are we, across Government and across the United Kingdom, seeking out those vulnerabilities to make our data safer from malign actors and indeed from plain criminals?
Grant Shapps
I reassure my right hon. Friend that the reason I immediately asked the Cabinet Office to be involved is that, although I can do checks on that contractor and others across the MOD and MOD-related contracts, I cannot do so across the rest of Government. That is exactly the job that the Cabinet Office will now undertake. When data is stolen—or rather exposed and potentially stolen—it causes a great deal of concern and we want to ensure that that cannot happen. I reiterate that the data was not being held by the MOD systems and did not affect the MOD systems, but as Secretary of State I recognise that our responsibility extends to whoever is holding the data for our personnel, and I apologise to those involved again. This should never have happened and we will make sure it is put right.
Richard Graham (Gloucester) (Con)
The Defence Secretary has reassured us that there is no evidence yet of any data having been removed and there is no suggestion that the MOD’s core system and HR network have been compromised. Can he confirm whether there is any evidence yet of ransomware being used? What assessment has he made of whether any data has been published? Although he reassured my right hon. Friend the Member for Hereford and South Herefordshire (Jesse Norman) that the number of addresses that have been accessed is small, can he confirm that those veterans whose addresses have been accessed will be advised accordingly so that they can take security precautions, if need be?
Lastly, on the wider points, can the telephone helpline be used by anyone concerned about late payment of miscellaneous expenses? Will the Secretary of State relay to the Deputy Prime Minister my strong view that the time is ripe for a Cyber Re, or reinsurance, in the same way that we created Flood Re a while back, precisely to deal with the likely costs for small authorities, such as those alluded to, of having to repair their cyber-defences against such future attacks?
Grant Shapps
It is characteristic of my hon. Friend to include five questions in his one. The answers are: no evidence of ransomware; no evidence of data published; a very small number of addresses were accessed, and yes, those people will be contacted individually or as a group if need be; and late payments are unlikely to cause much of a difficulty, as I have said, because they will all be resolved by today and the money will be in people’s accounts either now or by the end of the week. However, if personnel have experienced any particular issues, they should take that initially through their chain of command. The phone number is also available and individual instances will be looked at on a case-by-case basis, as he would expect. He has probably taken me slightly out of my area on Cyber Re, which I think will be something for the Cabinet Office to consider. It sounds like a smart idea, but I am afraid he has got me outside my tracks.
Mr Deputy Speaker (Mr Nigel Evans)
As the hon. Gentleman waited very patiently to ask those last five questions, I let him get away with it. I thank the Secretary of State for his statement today and for responding to questions for over three quarters of an hour.