John Healey
Main Page: John Healey (Labour - Wentworth and Dearne)Department Debates - View all John Healey's debates with the Ministry of Defence
Defence Personnel Data Breach
John Healey Excerpts(3 weeks, 5 days ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
John Healey (Wentworth and Dearne) (Lab)
There is deep concern in the House about this grave security breach. The House will accept and note the Defence Secretary’s apology to armed forces personnel. We welcome the statement and the multipoint plan, and I thank him for early sight of it.
There will indeed be serious concern in the MOD that news of this big data breach was splashed across the media before the Defence Secretary could set out the facts to Parliament. My overriding concern is for the safety of serving personnel and veterans affected, worried about the risk to themselves and their families and hearing first about the data being hacked from the media and not from the MOD. Our military put their own security at risk when they serve on the frontline, and the very last thing they should have to worry about is their data security back home. Any such hostile action against our forces is utterly unacceptable, and their protection must be the first-order priority for the Defence Secretary, whether on operations abroad or for their data at home.
Despite the Defence Secretary’s statement, he still has many serious questions to answer. On the breach itself, who held the data that was hacked? When was it discovered? When were Ministers told? How was it leaked to the press? On the contractor, Defence Business Services says that Shared Services Connected Ltd has the MOD contract for core payroll and other business services. How many contracts does SSCL or its parent company, Sopra Steria, have with the MOD? What action has been taken by other Government Departments with similar SSCL contracts? On forces personnel, how many serving personnel and veterans have been hit by the hack? Has every serving full-timer and reservist been affected? What support is being offered?
On last night’s media reports, has a leak inquiry been launched? The MOD’s data security record is getting worse while threats against the UK continue to rise. There has been a threefold increase in MOD data breaches in the last five years, with 35 separate MOD breaches reported to the Information Commissioner’s Office and a £350,000 fine last December. Sub-contractors are well known to be the soft underbelly of security, and this latest hack raises serious questions about how the MOD manages its outsourced services.
The media have clearly been briefed that China is behind the hack, but the Defence Secretary tells us only about a “malign actor”. The Government rightly have a rigorous system before official accusations or attributions are made, but if this data breach is found to have been carried out by a hostile state, it would represent a very serious threat to our national security.
The Government have been warned. The Intelligence and Security Committee confirmed in its China report last year that cyber-attacks by hostile states now happen daily, and now our wider armed forces community are being targeted. However, the Committee also found there was no cross-Government China strategy, “completely inadequate” resourcing, and defence intelligence with no systematic record of resources focused on China.
The Defence Secretary knows that we are united in this House. We will not stand for any such attacks and, with threats increasing, such flaws in our cyber-security must be fixed. Only then will we make Britain secure at home and strong abroad.
Grant Shapps
I thank the right hon. Gentleman for his words about the united way in which this House tackles such issues, and there is much of what he says that I can agree with. He asked a number of questions and I will try to rattle off some responses to him.
The chosen date to announce this breach was today, to ensure that we would be able to secure the systems, back up and make sure everyone had their payments made, even if it was not through those systems. The media release last night was coincidental and unwelcome, as far as we were concerned, but unfortunately a lot of people are involved in this. He asked how many personnel had been affected, and the number is 272,000. I stress that that means it is up to that number; the number is still being refined and will probably end up lower, but none the less it is a large number of people and they may have noticed that bank payments were not made, so some of the media will have picked up on that.
The right hon. Gentleman is right to say that the welfare of our personnel is our absolute first priority. I hope that he will agree that the eight-point plan focuses heavily on that and consists of ensuring that they are getting every bit of help and support required. Although we do not think the data is necessarily stolen, we are making the assumption that it has been in order to ensure that personnel get the support required, including through their own data monitoring services, which we are providing to each and every one of them, whether or not they are affected in this particular case.
The right hon. Gentleman has named the contractor involved, and I can confirm that that is the correct name, SSCL. As I mentioned in my statement, we have not only ordered a full review of its work within the MOD, but gone further and requested from the Cabinet Office a full review of its work across Government, and that is under way. I also briefly mentioned specialists being brought in to carry out a forensic investigation of the way this breach has operated.
Data breaches and this level of attack are nothing new, but the right hon. Gentleman is right to point out, and the House will be aware, that these attacks are growing, to the extent that the MOD’s networks are under attack millions of times per day, and they successfully repel those attacks millions of times per day. I stress again, particularly for servicemen and women listening, that this breach does not contain data that is on main MOD systems, and which is of even greater concern to us. It is right that we invest in protecting the systems to ensure that these data attacks are repelled and are not successful.
I would gently say to the right hon. Gentleman, as I think he might expect me to, that one of the best ways to do that is to invest in defence. That is why we are committed to a 2.5% increase, with a fixed timeline and a plan to pay for it, because it means we will be able to do more things, including investing further in cyber-security.