Shapps orders specialist review of MoD contractor ‘hacked by China’

Mr Shapps told the Commons he had asked for a review of SSCL's work across government
Mr Shapps told the Commons he had asked for a review of SSCL's work across government

Grant Shapps has ordered a review into the company at the heart of the Ministry of Defence hack blamed on China, as The Telegraph can reveal it had previously put prison staff data at risk.

Hackers, understood to be backed by Beijing, gained access to payroll information held by Shared Services Connected Ltd (SSCL), which included the names, bank details and some addresses of serving personnel, reservists and veterans.

Up to 272,000 service personnel may have been hit by the data breach.

The Defence Secretary told MPs on Tuesday that a “specialist security review of the contractor and its operations is under way”.

Mr Shapps said: “We’ve launched a full investigation, drawing on Cabinet Office support and specialist external expertise to examine the potential failings of the contractor and to minimise the risk of similar incidents in the future.”

He added that the “full review” of SSCL would be “across Government”, not just within the MoD.

As well as the MoD, SSCL provides services to 22 government departments and agencies and is responsible for processing the wages of 550,000 public servants.

The Telegraph can reveal that the contractor was previously the subject of a Ministry of Justice (MoJ) investigation after a “potential data leak” that exposed personal details of thousands of prison officers, including email addresses, work locations and national insurance numbers.

In December 2019, the Prison Officers Association (POA) wrote to members revealing that an “incorrectly configured web server” linked to an SSCL training website meant that personal information for the majority of staff was accessible online.

The data breach, which also exposed names, email addresses, dates of birth, training information and names of line managers, occurred days before the MoD announced a £300 million contract with SSCL, which was part-owned by the Cabinet Office until last year, to modernise its IT systems.

The MoD's data breach comes after the UK and the US in March accused China of a global campaign of "malicious" cyber attacks
The MoD's data breach comes after the UK and the US in March accused China of a global campaign of "malicious" cyber attacks - JAMES VEYSEY/SHUTTERSTOCK

The MoJ alerted the Information Commissioner’s Office and launched an investigation over the data breach, while SSCL updated security systems to address the flaw. It is unclear if the error led to data being stolen, or what the MoJ investigation concluded.

SSCL, a subsidiary of the Paris-based tech company Sopra Steria, continues to work with the Ministry of Justice, helping to recruit prison officers.

It works with 22 UK Government departments including the Home Office and Department of Work and Pensions as well as bodies such as the Office for Nuclear Regulation.

The Metropolitan Police Service (MPS) also uses SSCL as payroll network provider.

Speaking in the House of Commons on Tuesday, Mr Shapps said he had asked for a review of the company’s work across government.

He told MPs: “It is obviously completely unacceptable for a contractor to leave our brave servicemen and women in this position, so we take it incredibly seriously.”

Mr Shapps said that initial investigations had not found evidence that any data had been “removed”, although he cautioned that affected personnel had been alerted as a precautionary measure.

He stressed that the payment network is “an external system completely separate to the MoD’s core network”.

The defence secretary did not name China as responsible for the attack, but insisted to MPs that he was not “reluctant” to name the “malign actor”.

He said: “For reasons of national security, we can’t release further details of the suspected cyber activity behind this incident.

“However, I can confirm to the House that we do have indications that this was the suspected work of a malign actor and we cannot rule out state involvement.”

Rishi Sunak also declined to say who was behind the cyber attack on Tuesday, but said the UK is taking the powers necessary “to protect ourselves against the risk that China and other countries pose to us”.

Defence sources have told the Telegraph they believe China was behind the hack.

A spokesperson for the Chinese embassy said claims Beijing was behind the attack were “completely fabricated and malicious slanders”.

The MoD’s data breach comes after the UK and the US in March accused China of a global campaign of “malicious” cyber attacks in an unprecedented joint operation to reveal Beijing’s espionage.

Britain blamed Beijing for targeting the Electoral Commission watchdog in 2021 and for being behind a campaign of online “reconnaissance” aimed at the email accounts of MPs and peers.

The Met said: “There is currently no evidence to suggest that there has been any compromise of the MPS payroll service.”

SSCL and Sopra Steria did not respond to requests for comment.