The IT company targeted by a Chinese hack that accessed the data of hundreds of thousands of Ministry of Defense employees did not report the breach for months, The Guardian can reveal.
UK Defense Secretary Grant Shapps told MPs on Tuesday that Shared Services Connected Ltd (SSCL) had been breached by a malign actor and that “state involvement” could not be ruled out.
Shapps said the payroll records of some 270,000 current and former military personnel had been accessed, including their home addresses. The government has not openly pointed the finger at China as the culprit.
The Defense Ministry was informed of the hack in recent days, but multiple sources said SSCL, a branch of French technology company Sopra Steria, learned of the breach in February.
Sopra Steria did not respond to requests for comment.
A Whitehall whistleblower did not comment on the timeline but said concerns that SSCL was “slow to respond” was one of the issues being examined in an official inquiry into the hack.
It can also be revealed that SSCL was awarded a contract worth more than £500,000 in April to monitor the MoD’s own cybersecurity, several weeks after it was hacked. Officials now believe this contract could be revoked.
The payroll data that was hacked reflects only a fraction of the work SSCL does for the government.
Sopra Steria and SSCL are understood to have other undisclosed government cybersecurity contracts, according to Whitehall sources. However, they are considered so sensitive that they have never been made public. The Cabinet Office declined to comment on the details of the contracts, citing security restrictions.
The cybersecurity arm of the UK intelligence services, the National Cyber Security Centre, has warned of a growing threat to the country’s businesses and critical national infrastructure by hostile states. Chinese and Russian state-sponsored actors stood out among the attackers who used a variety of routes to try to conceal malicious activity on networks containing sensitive information.
Whitehall concerns about a lack of transparency from SSCL have raised concerns that there could be a wider compromise of its systems. Sopra Steria is one of the government’s few strategic suppliers, with work ranging from pension administration to broader payment systems for government departments and agencies.
Shapps told parliament that the government had “not only ordered a full review of its (SSCL) work within the Ministry of Defence, but had gone further and asked the Cabinet Office for a full review of its work across government, and “That is underway.” He added that specialists had been brought in to carry out a “forensic investigation” into how the rape occurred.
Earlier this week, a Cabinet Office spokesperson said: “A comprehensive, independently audited security review of the contractor’s operations is underway and appropriate action will be taken based on its findings.”
SSCL was partially owned by the government until October last year, when it sold its 25% stake in Sopra Steria for £82 million. SSCL was aware of being a “magnet” for cyber attacks, sources said. TO public warning about identity theft has appeared on the website of its parent company, Sopra Steria, for at least three years, according to an analysis of the page’s history.
The hack was first detected internally in February, sources said, and concerns about potentially successful phishing attacks on the company date back to December 2019.
SSCL and its parent company hold a total of £1.6bn in government contracts. These include a range of highly sensitive roles such as Home Office recruitment and online testing for officers, according to contract information collected by data firm Tussell.
The Chinese embassy has said China was not responsible for the attack. A spokesperson said: “We urge relevant parties in the UK to stop spreading false information, stop fabricating so-called China threat narratives and stop their anti-China political farce.”