'State involvement' in MOD cyber attack 'cannot be ruled out'

Defence Secretary Grant Shapps arriving in Downing Street, London
Defence Secretary Grant Shapps -Credit:PA

Grant Shapps has said that "state involvement" in the large-scale cyber attack on the Ministry of Defence (MoD) cannot be ruled out amid speculation China carried out the hack. The Defence Secretary said there is evidence of "potential failings" of the contractor operating the payroll system that was hacked, "which may have made it easier for the malign actor" to gain access to the bank details of service personnel and veterans.

Labour's shadow defence secretary John Healey named the contractor as SSCL. Up to 272,000 service personnel may have been hit by the data breach, Mr Shapps told MPs. He set out an eight-point plan to support and protect those potentially affected.

The Cabinet minister declined to identify the culprit, telling the Commons: "For reasons of national security, we can't release further details of the suspected cyber activity behind this incident. However, I can confirm to the House that we do have indications that this was the suspected work of a malign actor and we cannot rule out state involvement."

He also said: "We've launched a full investigation, drawing on Cabinet Office support and specialist external expertise to examine the potential failings of the contractor and to minimise the risk of similar incidents in the future."

Initial investigations have found no evidence that any data has been removed, but affected armed forces personnel have been alerted as a precaution. The payment network is "an external system completely separate to the MoD's core network", Mr Shapps stressed.

The system holds personal data - including names, bank details and some addresses - of regular reserve personnel and some recently retired veterans. Changes are being made to the system to ensure it is secure before payments are recommenced, the Defence Secretary said.

The senior Tory apologised "to the men and women who are affected by this", adding "it should not have happened". SSCL says on its website that it plays a "central role in delivering the MoD's vision to transform core payroll, HR and pension services" for 230,000 military personnel and reservists and two million veterans.

The firm says it provides business process services to 22 government departments and agencies and is responsible for paying 550,000 public servants. SSCL says it processes more than £363 billion in payments each year, 6.77 million transactions and 1.5 million invoices.

The firm, which says its "vision is to empower the UK public sector with digital solutions and innovative services", also processes 1.2 million recruitment applications a year.