UK probes ‘potential failings’ at military contractor over suspected China hack

Unlock the Editor’s Digest for free

Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.

The UK government said on Tuesday that it was investigating “potential failings” at SSCL, the private IT contractor that was breached in a suspected cyber attack by China targeting the records of UK military personnel.

The hack on the company, which has multiple government contracts providing business services to other departments, accessed the records of up to 272,000 people on the Ministry of Defence’s payroll.

The attack, discovered in recent days, was carried about by a “malign actor”, the defence secretary Grant Shapps said. He did not confirm who was behind it but a person briefed on the incident said Beijing was thought to be the culprit.

“We think the private contractor has many questions to answer,” Shapps told MPs. “If it is the case that there has been negligence . . . we will take the strongest action,” he added.

SSCL holds the payroll details of most of the British armed forces and 550,000 public servants in total through its other government contracts, including with the Home Office, Ministry of Justice and Metropolitan Police.

It was set up in 2013 as a joint venture between the Cabinet Office and Paris-based Sopra Steria, a digital services company, as part of a wider drive by the government to reform the civil service and save taxpayer money by centralising functions.

It claims to have delivered £750mn in savings to the public sector over the past decade. The Cabinet Office sold its 25 per cent stake in SSCL to Sopra Steria last year. The company did not immediately respond to a request for comment.

SSCL provides business services to 22 government departments and agencies and processes more than £363bn in payments every year, according to its website. It has been awarded more than 207,000 government contracts, according to official data.

“We do need to see resilience of all third-party contractors engaged with Whitehall departments protected to the same standards as the ministries themselves,” said Tobias Ellwood, a Tory MP and former defence minister.

John Healey, shadow defence minister, said private contractors were the “soft underbelly of national security”.

Philip Davies, professor of intelligence studies at London’s Brunel University, described the hack as “very alarming because if a firm that close to Cabinet Office has lax security compliance, what of firms more removed from the centre of government — or their subcontractors, sub-sub-contractors and service providers?”

The UK has previously accused Chinese hackers of trying to break into email accounts of MPs critical of Beijing and has also blamed them for an attack on the country’s electoral watchdog that compromised millions of people’s data.

Chinese foreign ministry spokesperson Lin Jian said Beijing opposed all forms of cyber attack, and said that any remarks by UK politicians suggesting that China was responsible for the MoD hack were “absurd.”

The UK government believes that whoever accessed the MoD data did not download it. Members of the armed forces were told about the cyber attack on Tuesday morning.

Fran Heathcote, general secretary of the Public and Commercial Services union which represents civil servants, said: “We haven’t had specific problems with SSCL and have today been reassured our members’ details haven’t been leaked.

“However, we have concerns that outsourcing this kind of work to private companies makes our members’ data more vulnerable because it involves a third party being entrusted to carry out a function on behalf of the state, rather than it being done in-house by trusted staff.”

Additional reporting by Sylvia Pfeifer