Defence Personnel Data Breach - Statement

Part of the debate – in the House of Lords at 4:38 pm on 8 May 2024.

Alert me about debates like this

Photo of Baroness Smith of Newnham Baroness Smith of Newnham Liberal Democrat Spokesperson (Defence), Liberal Democrat Lords Spokesperson (Defence) 4:38, 8 May 2024

My Lords, I agree with the noble Lord, Lord Coaker, that His Majesty’s Government have many questions to answer. I thank the Minister for taking the hospital pass and repeating the Statement to the House this afternoon.

The wording of the Statement is interesting. The Ministry of Defence has identified indications that a malign actor gained access. Did it identify these indications only after the leak to the media, or was it aware of this and trying to deal with matters behind the scenes? It would be helpful to understand whether the MoD has a handle on the data breach.

As the noble Lord, Lord Coaker, has pointed out, there are questions about prime contractors and subcontractors, and the eight-point plan raises some concerns about what is being asked of government departments and our contractors. Point four states:

“specialist advice and guidance on data security has been shared” and is available now on GOV.UK. This is part of the eight-point plan—after the horse has bolted. Why on earth was this advice not available before the data breach? It is not good enough for the Secretary of State to refer the other place back to his Lancaster House speech and remind us that the world is a “more dangerous” place. We know the world is a dangerous place. We know that there are cybersecurity dangers, and if the MoD and its contractors cannot ensure that we are safe and secure from data breaches, who can? Can the average citizen of the United Kingdom feel secure if the MoD is not able to deal with its own cybersecurity? Why can it not? To say that this is a contractor and therefore separate from the MoD’s HR supply is not necessarily adequate, either. Are the requirements for our prime contractors and subcontractors adequate?

A question asked in the other place, and which the noble Lord, Lord Coaker, has also touched on this afternoon, is: which other government departments are using Shared Services Connected Ltd and to what extent should we be concerned? My understanding is that the Home Office, the MoJ and possibly the Cabinet Office are also part of these contracts, but the Secretary of State did not appear to be able to answer the question in the other place. I hope, with the additional 24 hours, that the noble Lord, Lord Harlech, may be able to give us some answers to this question.

Point six of the eight-point plan says that His Majesty’s Government are now

“providing a commercial personal data protection service for all service personnel”.

Why is it a commercial personal data protection service? Would it not now be appropriate to learn the lessons of outsourcing and think about whether we should provide our own HR and payroll? Would it not be appropriate for His Majesty’s Government to rethink that and for personnel data to be ensured by His Majesty’s Government and not outsourced?

I have two final points to make in my last 33 seconds. Given the Border Force issues yesterday, do we suspect that the same malign actors who hacked the data impeded people entering our country? Are other malign actors damaging UK infrastructure? Is that a further security concern? My final point concerns the noble and gallant Lord, Lord Craig of Radley. During questions on the response of Israel and its iron dome a couple of weeks ago, he asked whether, if London were faced with a similar issue, we would be able to defend ourselves. Should we not be concerned that, if the MoD cannot defend its personnel against hackers and malign actors, maybe our country is not as secure as it should be?