State involvement in MoD cyber attack cannot be ruled out, Grant Shapps says

Grant Shapps has said that “state involvement” in the large-scale cyber attack on the Ministry of Defence (MoD) cannot be ruled out amid speculation China carried out the hack.

The Defence Secretary said there is evidence of “potential failings” of the contractor operating the payroll system that was hacked, “which may have made it easier for the malign actor” to gain access to the bank details of service personnel and veterans.

Labour’s shadow defence secretary John Healey named the contractor as SSCL.

The firm says it provides business process services to 22 government departments and agencies and is responsible for paying 550,000 public servants.

Confirming the contractor was SSCL, Mr Shapps said he had asked for a review of the company’s work across government.

Up to 272,000 service personnel may have been hit by the data breach, Mr Shapps told MPs.

He set out an eight-point plan to support and protect those potentially affected.

The Cabinet minister declined to identify the culprit, telling the Commons: “For reasons of national security, we can’t release further details of the suspected cyber activity behind this incident.

“However, I can confirm to the House that we do have indications that this was the suspected work of a malign actor and we cannot rule out state involvement.”

He also said: “We’ve launched a full investigation, drawing on Cabinet Office support and specialist external expertise to examine the potential failings of the contractor and to minimise the risk of similar incidents in the future.”

Initial investigations have found no evidence that any data has been removed, but affected armed forces personnel have been alerted as a precaution.

The payment network is “an external system completely separate to the MoD’s core network”, Mr Shapps stressed.

The system holds personal data – including names, bank details and some addresses – of regular reserve personnel and some recently retired veterans.

Changes are being made to the system to ensure it is secure before payments are recommenced, the Defence Secretary said.

The senior Tory apologised “to the men and women who are affected by this”, adding “it should not have happened”.

SSCL says on its website that it plays a “central role in delivering the MoD’s vision to transform core payroll, HR and pension services” for 230,000 military personnel and reservists and two million veterans.

The firm, a subsidiary of the Paris-based tech company Sopra Steria, says it processes more than £363 billion in payments each year, 6.77 million transactions and 1.5 million invoices.

The company, which says its “vision is to empower the UK public sector with digital solutions and innovative services”, also processes 1.2 million recruitment applications a year.

Prime Minister Rishi Sunak earlier also declined to say who was behind the cyber attack, but said the UK is taking the powers necessary “to protect ourselves against the risk that China and other countries pose to us”.

Conservative former leader Sir Iain Duncan Smith said he was “concerned” the Government was not able to point the finger at China.

“I think the Government is a bit conflicted about this,” he told Sky News, claiming the Foreign Office did not want to “upset China”.

“The truth is we know that China is the malign actor they’re referring to.”

A spokesperson for the Chinese embassy said claims Beijing was behind the attack were “completely fabricated and malicious slanders”.

They said: “China has neither the interest nor the need to meddle in the internal affairs of the UK.

“We urge the relevant parties in the UK to stop spreading false information, stop fabricating so-called China threat narratives, and stop their anti-China political farce.”

Labour’s Mr Healey said: “The MoD’s data security record is getting worse while threats against the UK rise – with a three-fold increase in MoD data breaches over the last five years.

“Such flaws in our cybersecurity must be fixed.”

The revelation of the MoD data breach comes after the UK and the US in March accused China of a global campaign of “malicious” cyber attacks in an unprecedented joint operation to reveal Beijing’s espionage.

Britain blamed Beijing for targeting the Electoral Commission watchdog in 2021 and for being behind a campaign of online “reconnaissance” aimed at the email accounts of MPs and peers.

The Metropolitan Police Service (MPS) also uses SSCL as payroll network provider.

The Met said: “There is currently no evidence to suggest that there has been any compromise of the MPS payroll service.”