back to article UK opens investigation of MoD payroll contractor after confirming attack

UK Government has confirmed a cyberattack on the payroll system used by the Ministry of Defence (MoD) led to "malign" forces accessing data on current and a limited number of former armed forces personnel. There is no evidence to suggest that the criminals who broke into the systems actually removed any data, but they did …

  1. Lurko

    Another military privatisation success

    Just like air sea rescue, air tankers, recruitment, military accommodation.

    Given that government believe EVERYTHING is better done by the private sector, maybe they should cut out the complication of piecemeal private provision, and just hire mercenaries for all the UK's defence needs. I'm sure minister's mates can put together credible bids to the VIP procurement lane.

    1. Anonymous Coward
      Anonymous Coward

      Re: Another military privatisation success

      it seems you can't win, get it under the gov umbrella, and they fail, at huge cost. Outsource it to the lowest (?) bidder, and they fail it at huge cost. Mix the two together and they fail at huge cost.

      1. Pascal Monett Silver badge
        Trollface

        Yeah but look at how much money their buddies make in the process !

    2. elsergiovolador Silver badge

      Re: Another military privatisation success

      No, government do not believe everything is done better by private sector.

      They believe it is better if friendly big corporations do the job, make profit and then once someone from government retires from their position, they'll get a nice cushy job as a "thank you".

      That's why the public sector is set up so that big corporations get the contracts and departments themselves cannot deliver anything, because by design they cannot hire people capable of delivering.

    3. katrinab Silver badge
      Megaphone

      Re: Another military privatisation success

      If you are a small business that doesn't have enough staff to occupy a payroll person full-time, then it makes sense to get a payroll bureau to do the work for you, because then you can share the cost of their staff with their other customers.

      In the case of payroll, "small" might actually be fairly large in any other context, possibly even the low thousands of staff, but it definitely isn't the millions of staff we are talking about here.

  2. elsergiovolador Silver badge

    What

    So far, SSCL has saved taxpayers more than £750 million in 10 years – providing more funds for frontline public services.

    Go to their website. The "Green" mode takes the cake though.

    LOL

    1. cyberdemon Silver badge
      Coffee/keyboard

      Re: What

      https://sscl.com/go-green-button/

      Reduces the site's carbon footprint by er, hiding HTML elements that you have already downloaded and cached locally..

      Any CO2 savings from that one completely obliterated by the cigar smoke from whichever greenwashing consultant who invented it!

      It'd be more hilarious if we weren't the ones paying for it ...

    2. Anonymous Coward
      Anonymous Coward

      Re: What

      The Register site has the same option - it's in your user settings. It's getting more common and shouldn't be laughed at. The more people use that mode, the less networking kit is needed, the less cooling, the less electricity and the less data centres. It's not a small benefit if used widely. But to be fair when snapchat users send messages and photos of their feet (they have to attach a message to a pic) by the billions, then changes like this are less successful.

      1. cyberdemon Silver badge
        Headmaster

        Re: What

        Seriously?

        A webserver, network switch, internet routers and the client etc use a sum-total of maybe 1-10kW to transmit Gigabytes of data and millions of requests per second.. You're talking about the order of millijoules per request, with a vast overhead that doesn't change with the number of requests. (switches and routers don't tend to use less energy with less load, nor does my phone / computer when displaying a text website vs one with images, and your server has to be sized to handle a DDoS, or at least a surge event e.g. when your company hits the news, so having a green mode doesn't mean you need fewer / smaller servers).

        So my back of a fag-packet says you're shaving off between 5 and 50 millijoules per uncached page-load when you click the Go Green button - probably less than the energy of your mouse-click.. Compare that to the inclusion of unwanted AI content in search results, where a 10kW server can only process a few hundred requests per second i.e. ~100J/request (about the same energy as a hard punch in the face from a boxer, compared to the tickle of a mouse button) - So for a million AI requests per second you'd need er, close to 100MW.

        Those numbers are my own guestimates, but you can see there are a few orders of magnitude involved. You are 'pissing in the wind' if you think a green mode does anything for the planet.

        Note though that I am not laughing at the concept of a lightweight mode, I rather like the idea of taking the cruft out of websites (although personally I do it at my end, using NoScript) - I am laughing at the claim that it saves any significant amount of energy.

  3. xyz Silver badge

    Much as I "dislike" the MoD...

    This has the smell of a Cab Off hipster driven screw up, by trying to shoehorn shared services into compartmentalised areas. There will be more cases out there that'll show up.

  4. Mike 137 Silver badge

    Not very clever

    "Per its website, SSCL's contract with the MoD sees it managing HR services for 230,000 military personnel and reservists, and two million veterans."

    How to guarantee you get picked as a target by malicious actors -- openly publicise that you process particularly sensitive information.

    1. elsergiovolador Silver badge

      Re: Not very clever

      Also look at this:

      Senior Database Administrator – Oracle e-Business Suite | SSCL

      Salary: £48,000 – £58,000

      That's a pay level only attractive to hostile state actors.

      I wonder what is the mark up.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not very clever

        Like a certain council that outsourced their database for revs and bens to an Indian support contractor. They'd remote in when required. A certain incompetent helpdesk manager left one of their accounts open. So during the night one of their agents logged in, deleted the database along with the backup. Was only discovered in the morning, yes, he'd gone rogue.

    2. Anonymous Coward
      Anonymous Coward

      Re: Not very clever

      But the system in question was a MOD system hosted in a MOD datacentre, made by the MOD? SSCL currently run it but their name is only in the mix because they're the last people carrying the hot potato.

  5. cyberdemon Silver badge
    Facepalm

    Also how to guarantee that you are vulnerable to such actors: Run the operation for profit and spend as little as possible on the IT service that you are contracted to deliver

    1. UnknownUnknown

      I was watching John Oliver on the Boeing Debacle.

      A comment made was ‘the Military in a not a profit centre’.

      Fairly apt here.

  6. EvilDrSmith

    I'm Shocked

    Shocked, I tell you.

    Not that MoD payroll records were being handled by a private company.

    Nor that the records were hacked.

    Nor even that the Chinese government was probably responsible.

    No, I'm shocked that, after near enough 35 years of continuous cut backs, with an army smaller than any time since the Revolutionary and Napoleonic wars, the RAF smaller than any time in its existence, and the RN suffering a shortage of personnel, the UK still has 230,000 service personnel.

    1. Lurko

      Re: I'm Shocked

      230k service personnel? No, active, trained military personnel is about 145k, with a further 37k volunteer reservists:

      https://www.gov.uk/government/statistics/quarterly-service-personnel-statistics-2024/quarterly-service-personnel-statistics-1-january-2024

      I'd guess the difference is the bloated MoD itself with 60k civil servants who are probably on the SSCL payroll.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm Shocked

        SSCL is only 2500 people? And of 43 contracts, only 5 are MOD? Seems unlikely that 60,000 civil servants are on the SSCL payroll lol.

      2. Anonymous Coward
        Anonymous Coward

        Re: I'm Shocked

        We've been explicitly told that civil servants aren't affected - unless we are also a reservist. So no, you don't get to pull 60k out as we weren't in it.

      3. Jonathan Richards 1 Silver badge

        Re: I'm Shocked

        >difference is ... civil servants

        I believe the breach to have been in the Joint Personnel Administration system, which was set up early this century to replace the arcane and fragmented pay systems for the various services. If I'm right, then it certainly is not handling pay and personnel matters for the MoD civilians.

        1. Starxe

          Re: I'm Shocked

          No, not JPA - they confirmed that in parliament. It's in a small payment interface from what they said.

  7. Pascal Monett Silver badge
    Stop

    "nothing but a fabricated and malicious slander"

    That coming from a country that has been repeatedly fingered for stealing industrial secrets and has an army of hackers willing and able to attack just about anything they turn their attention to.

    1. steviebuk Silver badge

      Re: "nothing but a fabricated and malicious slander"

      The CCP shills are downvoting.

      Also the country that was sending over folks to create "Police stations to help citizens sort out their driving license" and not to threaten Chinese citizens that have managed to escape the shitness of the CCP and disguising these police stations.

  8. Anonymous Coward
    Anonymous Coward

    This was just waiting to happen...

    If you know anything about this Orable HR system then there are several things of note:

    1) Operations are the same people who have been running it for the last 20 years. They may have been TUPEd to all sorts of companies, but it's the same people, or their children, or their children's children...

    2) The people running the system have a single view on security processes, its manual and its been that way for 20 years, so must be good! They will not accept that process is not the same as security.

    3) There is only one security classification to cover all the data. But then strictly speaking there are only 3 classifications for the whole MOD... This system is not in the top classification.

    4) There is only one HR system to cover the whole of the MOD... it doesn't matter who you are, where you are, what you do or how you do it, Think about that one carefully.

    So is this the crown Jewels of MOD data, hidden in plain sight and jobsworthiness or just a signpost to it?

    I don't actually blame SSCL for the shitshow... They were just the last ones in the hotseat, they did try to tell the MOD... its the people rearranging the chairs that are really at fault here, because they dont understand what they have and its all they know how to do.

    P.s. Read point 4 again and again until I sinks in...

    1. elsergiovolador Silver badge

      Re: This was just waiting to happen...

      I don't actually blame SSCL for the shitshow... They were just the last ones in the hotseat, they did try to tell the MOD...

      Such nonsense. If you see a hot mess you can't sort, you simply don't take the contract! But I guess the smell of the money was overpowering.

    2. Anonymous Coward
      Anonymous Coward

      Re: This was just waiting to happen...

      Yep, absolutely right. Mil HR has had a few names and owners, but has been through EDS, HP, CSC/DXC, and both Capita & Sopra Steria at SSCL Some of the SSCL staff have sat at the same desk since before they were TUPE-ed into EDS. Some of them even date back to the Navy Pay Branch at HMS Centurion/Sultan.

      And yes, for all the SoS's minimisation, this system hold everyone's details for at least the last 20+ years. EVERYONE. Home addresses, bank accounts, next of kin, postings, everything. Hopefully what was breached was a partial extract being "securely" sent somewhere a little less securely than they thought, so the core remains clean. We can but hope.

      And forget the Chinese and the Russians for now, there are people in Belfast who might still want that information :-(

    3. Anonymous Coward
      Anonymous Coward

      Re: This was just waiting to happen...

      There is only one HR system to cover the whole of the MOD... it doesn't matter who you are, where you are, what you do or how you do it

      Except that we've been told that this does not affect civil servants as we are on a different system.

    4. Jonathan Richards 1 Silver badge

      Re: This was just waiting to happen...

      > 4) There is only one HR system to cover the whole of the MOD... it doesn't matter who you are, where you are, what you do or how you do it, Think about that one carefully.

      This was the Big Idea for JPA, which was designed and built to consolidate, streamline and modernise the patchwork of systems (some not even very automated) that were in place for paying Army, Navy, RAF, reservist, etc. They were a total mess, and nobody really knew how they worked, and it made accounting a good deal like a living nightmare. So, yes, one HR system for all the military personnel in the UK. You Know It Makes Sense. but it also has to be handled with great care. When it was set up, it was not implemented on an Internet-facing set of servers.

  9. Phil O'Sophical Silver badge
    Facepalm

    the "strongest action" will be taken if SSCL is found to have been negligent.

    Oooh, smacked on both wrists...

    1. elsergiovolador Silver badge

      No, in Tory Britain "strongest action" means more lucrative contracts and less accountability.

  10. Anonymous Coward
    Anonymous Coward

    Unfair

    I think it's a little unfair to judge just yet. Not only has it not been confirmed that any data has been accessed, SSCL inherited these systems from the MOD themselves and have been working to modernise them since. Given that it was a bodge by the lowest bidder in the first place the blame should be shared.

    1. 0laf Silver badge

      Re: Unfair

      Lets be honest if they didn't go with the lowest bidder the winner would still have cut the resources to bone in order to maximise profit.

  11. Tron Silver badge

    Why not use AI to save time and money?

    The conclusion has already been decided upon by the government - that the Chinese were to blame. Why not use ChatGPT to write the rest and save a few quid. The NHS could use it.

  12. Mark Exclamation

    Nominative determinism?

    "Shared Services Connected Ltd (SSCL) was the contractor running the system during the attack." Just sharing it all around.....

  13. MrGreen

    The Government Value Cyber Security

    This is how much the government value cyber security:

    Head of Cyber Security - HM Treasury

    Salary: £50,550 - £57,500

    https://www.linkedin.com/jobs/view/head-of-cyber-security-at-hm-treasury-3533259069/?originalSubdomain=uk#SALARY

    1. 0laf Silver badge
      Black Helicopters

      Re: The Government Value Cyber Security

      That got flagged a year ago as being rediculous. Renfewshire Council had a security and governance post advertised at the same time for more money.

      The consensus of the El Reg commontariate was that there was some civil services / ministerial malarky going on with the recruitment making the post undesirable in order to parachute in a specific person on a non-standard pay structure. No idea if that was how the story ended or not. You can search around LinedIn etc to see if you think things were made to happen.

      https://www.theregister.com/2023/03/31/job_ad_hm_treasury/

      1. elsergiovolador Silver badge

        Re: The Government Value Cyber Security

        This is happening all across departments. They simply can't pay more due to how pay scales are structured. This is a setup to encourage hiring staff from big consultancies where the pay scales don't apply and so the tax payer money can be funnelled to them as they typically charge huge mark up on top of market rate salary of the worker (thanks to the fact they are exempt from IR35 rules).

        1. 0laf Silver badge
          Black Helicopters

          Re: The Government Value Cyber Security

          That was true, not so sure now. I've seen many senior information security jobs advertised in the public sector which are well into industry average levels. Admittedly these are probably jobs that need three people not one but they do exist. Glasgow City Council was advertising recently for a senior role with renumeration up to £80k, and I've seen other Civil Service and NHS jobs with similar packages. How they are doing this within the confines of Single-Status (for the councils) I don't know, previously to get anything over about £45k you had to be a service manager so no specific professional roles at all. I can only guess that the Unions have given them the ok to go out at close to market rate otherwise they would get no one.

          1. elsergiovolador Silver badge

            Re: The Government Value Cyber Security

            £80k for such a job is still far too low. Bear in mind that we had massive inflation and tax hikes. £80k today is closer to what £55k would have been just a couple of years ago.

            Actual talent tend to freelance and command at least double of what is being offered. They know if they are directly employed by a big consultancy or agency, their rate is heavily creamed, so they go independent.

    2. jdiebdhidbsusbvwbsidnsoskebid Silver badge

      Re: The Government Value Cyber Security

      If that's the same job that was highlighted here in march 2023, then it's not what it seems. Despite the grand sounding title, it's just the lead of a team (of 2!) cyber analysts within a larger security group of about 40 people. Definitely not what I would call head of cyber security.

  14. MrGreen

    Which MP’s Own Shares in Sopra Steria

    MP’s should be made to disclose what investment they have in Sopra Steria.

    My guess is, most of them.

    Follow the money.

    1. katrinab Silver badge
      Black Helicopters

      Re: Which MP’s Own Shares in Sopra Steria

      They are linked in some way to Serco I think? Which is owned by Rupert Soames, brother of former Tory MP Nicholas Soames.

  15. navarac Silver badge

    As ex-Military

    As ex-military, I have to ask "What the fuck is Defence information doing being put in the hands of a foreign company?". I don't care it is cheaper. It actually means we in the UK are either pricing ourselves out of the market, the companies are greedy or we are uncapable. I go for the last!

    1. UnknownUnknown

      Re: As ex-Military

      Because it’a cheap innit.

    2. Valeyard

      Re: As ex-Military

      well i would've been screwed by this contractor fuckup myself...

      ... except i'm still months into the slow as hell army application process in turn contracted out to capita

      operation failed successfully!

    3. Anonymous Coward
      Anonymous Coward

      Re: As ex-Military

      It's worse than that, not only is it foreign, ... it's French !

      1. 0laf Silver badge
        FAIL

        Re: As ex-Military

        Don't forget your oh so lovely (and totally worth it) blue passport (not that Johnny foreigner burgundy) is made in Poland by a Franco/Dutch company. Yay Brexit, we're taking back control etc etc [insert platitude or lie of choice].

  16. h3nb45h3r

    Fujitsu tower must has had a moment

    I bet there were a few Fujitsu exec who have no idea what UK Gov contracts they have, well they have so many and getting many more (despite not tendering for UK Gov contracts), then they saw the headline.

    Only joking, like it would bother them!

  17. Anonymous Coward
    Anonymous Coward

    I wonder if it's just MOD or all SCCL shared services?

    https://www.civilserviceworld.com/professions/article/moj-staff-records-transferred-to-shared-services-hub

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like