Part of the debate – in the House of Lords at 4:32 pm on 8 May 2024.
My Lords, with the leave of the House, I shall now repeat a Statement made yesterday in another place by my right honourable friend the Secretary of State for Defence. The Statement is as follows:
“I would like to update the House on a data incident involving activity by a malign actor. In recent days, the Ministry of Defence has identified indications that a malign actor gained access to part of the Armed Forces payment network. That is an external system, completely separate from the Ministry of Defence’s core network, and it is not connected to the main military human resources system. The House will wish to note that it is operated by a contractor, and there is evidence of potential failings by it, which may have made it easier for the malign actor to gain entry. A specialist security review of the contractor and its operations is under way, and appropriate steps will be taken.
The contractor-operated system in question holds personal data of regular and reserve personnel and some recently retired veterans. That includes names and bank details, and—in a smaller number of cases—addresses. In response to the incident, we have undertaken significant and immediate action, enacting a multipoint response plan to support and protect our people. I would like to provide the House with details of this eight-point plan.
First, we immediately took the system offline. That has secured it against similar future threats. Secondly, we have launched a full investigation, drawing on Cabinet Office support and specialist external expertise to examine the potential failings of the contractor and to minimise the risk of similar incidents.
Thirdly, while our initial investigations have found no evidence that any data has been removed, as a precaution we have today alerted those service personnel affected through the chain of command. In addition, we are also sending out letters to a small number of veterans who have retired and who may have been affected as an additional precaution. The House will wish to note that the vast majority of the UK veterans community is, however, unaffected.
Fourthly, specialist advice and guidance on data security has been shared and is available on GOV.UK. Fifthly, we have additionally set up a helpline to support individuals. The number for the helpline is 01249 596665, and it is available now. Sixthly, we are providing a commercial personal data protection service for all service personnel. That facility will constantly monitor each individual’s personal data and notify them if there are any irregularities. Even though we do not believe that their information has been stolen, we intend to do that in order to bring further peace of mind.
Seventhly, welfare and financial advice is available, where needed, through each individual’s chain of command. Eighthly, on becoming aware of the incident, the MoD stopped the processing of all payments and isolated the system. I want to provide further detail on that step. We are making changes to the system to ensure that it is secure before recommencing payments through it. I confirm that in the meantime all April salaries have been paid. Some service personnel will have experienced a slight delay in receiving some expense payments; however, we expect that to be fully resolved today, with the money in their accounts by Friday. Furthermore, I confirm that we are ensuring that all high-value payments remain unaffected. For example, all outstanding Forces Help to Buy and terminal benefits payments have been facilitated by alternative secure transfer. As mentioned, salary payments and pensions for veterans have not been affected, and we do not expect them to be.
For reasons of national security, we cannot release further details of the suspected cyberactivity behind the incident. However, I can confirm to the House that we have indications that this was the suspected work of a malign actor, and we cannot rule out state involvement. The incident is further proof that the UK is facing rising and evolving threats. As I set out in my Lancaster House speech in January, the world is, I am afraid, becoming somewhat more dangerous. Last month, the Government therefore announced an increase in defence spending to meet those new threats, reaching 2.5% of GDP by the end of the decade.
Following this incident, I can announce today that although this incident is entirely unrelated to our own MoD networks, we are also reviewing all personnel data networks to ensure that our people’s data is secure. This was the work of a malign actor who compromised a contractor-run network entirely separate from the MoD core system. However, as I have said, we cannot at this stage rule out state involvement from elsewhere. This eight-point plan outlines the immediate and significant action we are taking to protect our most precious resource: our people. Even though this occurred on a contractor’s system, with a malign actor involved—and we cannot rule out foreign state involvement —I want to apologise to the men and women affected. It should not have happened, and this eight-point plan seeks to ensure that it is put right and cannot happen again. I commend the Statement to the House”.
My Lords, I draw your Lordships’ attention to my interest set out in the register as a serving Army reservist.