Defence Personnel Data Breach - Statement

Part of the debate – in the House of Lords at 4:38 pm on 8 May 2024.

Alert me about debates like this

Photo of Lord Coaker Lord Coaker Shadow Spokesperson (Defence), Shadow Spokesperson (Home Affairs), Opposition Whip (Lords) 4:38, 8 May 2024

My Lords, I thank the Government for the opportunity to discuss this Statement again today and the noble Lord for repeating it. He will know that on these matters we are united with the Government. We cannot and must not stand for any such attacks. With the number and level of such threats increasing, we have to do all we can to make our country secure at home and strong abroad, so the news of this grave security and data breach is of real concern to us all. It is particularly alarming given that this is yet another example of an MoD data breach. It is particularly concerning as it involves our Armed Forces personnel past and present.

In the last five years, there has been a threefold increase in MoD data breaches, with 35 separate breaches reported to the Information Commissioner’s Office. Such threats—from state activity and other malign actors—are increasing across government, including attacks on prime contractors and subcontractors, as in this shocking case. Do they not present a soft underbelly to our national security?

Can the noble Lord explain when this breach took place? When did Ministers become aware of it? Reports say that these attacks took place weeks ago, but that Ministers were informed only days ago. Is that the case, or are the reports simply wrong? In these instances, who is responsible for alerting whom, how quickly, and when? Who monitors these contracts? Why did it take this appalling incident to alert officials, as the Defence Secretary said in the other place, to the potential failings of the company now named SSCL? What other potential problems are there? What other government departmental contracts are run by SSCL—or indeed by others—which could also be impacted by this breach? This itself would represent a very real threat to national security. Does any review being undertaken by the Government include all these other prime contracts and subcontracts, stretching across government?

The noble Lord and the Government say that this constraint is now offline, but I am unclear on some of the facts. Can the Minister confirm that all salaries and expenses will be paid by this Friday? Can he confirm how many service personnel, past and present, have been or may have been affected by this breach? In the other place, a figure of up to 272,000 was mentioned. How near to that figure will it be? The Government were unclear about that. What is the Government’s latest estimate of the number of Armed Forces personnel, past and present, who will be affected?

The Minister in the other place went to great lengths to say that a malign actor was responsible for the breach, but he would go no further. Why not? Can the noble Lord explain how it was briefed all over the media that sources believed it was China? Of course, evidence is needed to confirm that, but how did that occur? Has the noble Lord anything further to say about that? When will he be in a position to update us on the outcome of the Government’s own inquiries? Can he also explain how this data breach appeared in the media—presumably through a leak—meaning that Armed Forces personnel found out what had happened through the media, rather than in the proper way? How did all this happen?

This is exceptionally serious. In addition to reassuring our Armed Forces personnel, who, frankly, deserve better, our country, too, needs reassurance. The MoD, the guardian of the nation, is threatened, along with others, and its defences appear to have been breached. Time and again, we also see security undermined in other areas of government. We all hope that the eight- point plan will reassure our personnel, and their welfare must be our top priority. The Government have been warned time and again—not least by recent reports from the Intelligence and Security Committee, for example —about threats from China and others. Why have the Government not taken more urgent action? They need to adopt a more cross-cutting, far-reaching, urgent approach to cybersecurity. We all support the security of our country. We all want our country to be safe. Does this further example of a cyberattack not represent yet another wake-up call to the Government?