MoD data breach: State involvement cannot be ruled out in armed forces hack, says Grant Shapps

State involvement cannot be ruled out in a hack of an armed forces payroll system, the defence secretary has said.

Grant Shapps told MPs the government had reason to believe the hack "was the suspected work of a malign actor" - and the BBC understands that ministers suspect China was responsible.

The system used by the Ministry of Defence (MoD) includes names and bank details of armed forces personnel.

China described the suggestion as a "fabricated and malicious slander".

Labour's shadow defence secretary John Healey has alleged that the external contractor in charge of the hacked system was Shared Services Connected Ltd (SSCL).

The payroll system holds "personal HMRC-style information" for current regular, reservist and former members of the Royal Navy, Army and Royal Air Force over a period of several years. In a very small number of cases, the data may include personal addresses.

Prime Minister Rishi Sunak, while stopping short of naming the country responsible, said a "malign actor" had compromised the payroll system.

Downing Street said it was reviewing the security of the unnamed contractor's operations.

Speaking in the House of Commons on Tuesday, Mr Shapps criticised the contractor-operated system, saying there was "evidence of failings" by them and that it was totally separate to the core MoD network.

Mr Shapps apologised to the servicemen and women affected by the data breach and detailed an eight-point plan which included a specialist support helpline.

He told MPs the incident was "further proof that the UK is facing rising and evolving threats".

"For reasons of national security, we can't release further details of the suspected cyber-activity behind this incident", Mr Shapps said.

"However, I can confirm to the House that we do have indications that this was the suspected work of a malign actor and we cannot rule out state involvement."

The government became aware of the data breach in recent days, and has not found evidence hackers removed data but is continuing to investigate.

Sources have told BBC News the investigation into who was behind the breach, which will be seen as embarrassing for the MoD, is at an early stage.

It can take months, sometimes years, to gather enough evidence to publicly accuse - so China is unlikely to be officially named today.

However, that does seem to be where suspicions are pointing towards, especially in light of Beijing's track record of targeting these kind of data sets.

When pressed on why the government is not naming China as responsible, the prime minister pointed to "very robust" government policy that means the UK can protect itself against the risk from China, and that defence spending had increased.

Service people affected by the hack will receive further information from the government about the breach and will be told any concerns are more about fraud risks rather than personal safety.

In an email sent to people affected on Tuesday, personnel were told they were confident May salaries will not be affected, but there may be slight delays to payments of routine expenses.

In response to the breach, Conservative MPs have raised concerns about the threat from China.

Tobias Ellwood, former chairman of the Commons Defence Committee, told BBC Radio's 4 Today programme: "Targeting the names of the payroll system and service personnel's bank details, this does point to China because it can be as part of a plan, a strategy to see who might be coerced."

He pointed to China previously trying to gain information from ex-RAF pilots.

Iain Duncan Smith said the government must admit China poses a threat to the UK.

"No more pretence, China is a malign actor, supporting Russia with money and military equipment, working with Iran and North Korea in a new axis of totalitarian states," he said.

Meanwhile, Labour's Shadow Defence Secretary John Healey said there were "serious questions" for Mr Shapps and "any such hostile action is utterly unacceptable".

In a statement, the Chinese embassy in the UK said it strongly opposed the suggestion China was responsible and it had no need to "meddle in the internal affairs of the UK".

"We urge the relevant parties in the UK to stop spreading false information, stop fabricating so-called China threat narratives, and stop their anti-China political farce," a spokesman said.

Last year, the government published an updated version of its long-term defence strategy which said the use of "commercial spyware, ransomware and offensive cyber capabilities by state and non-state actors has proliferated".

In March, the government publicly accused China of being behind an August 2021 hack targeting the details of millions of voters held by the Electoral Commission.

In December 2023, the National Cyber Security Centre said Russian intelligence was behind a "malicious cyber activity attempting to interfere in UK politics and democratic processes".

Public institutions and private firms have also been targeted by hackers demanding ransoms.

The Metropolitan Police said it is not involved in any investigation at this stage.

Additional reporting André Rhoden-Paul

Are you affected by the issues raised in this story? Share your experiences by emailing haveyoursay@bbc.co.uk.

Please include a contact number if you are willing to speak to a BBC journalist. You can also get in touch in the following ways:

If you are reading this page and can't see the form you will need to visit the mobile version of the BBC website to submit your question or comment or you can email us at HaveYourSay@bbc.co.uk. Please include your name, age and location with any submission.