The MOD Payroll Breach: How a Government Contractor Exposed 272,000 Military Personnel Records

‍​‌‌‌​​​​​‌​‌‌‌​‌‌​‌‌​​​​​​​​‌‌​​‌‌‌‌​‌‌‌‌‌‌​​​‌​‌​‌‌‌​​​‌‌​‌‌​‌‌‍A contractor-operated payroll system holding records for up to 272,000 UK military personnel was compromised in early 2024. The breach exposed names, bank account details, and in a smaller number of cases, home addresses and National Insurance numbers. The contractor that ran the system, Shared Services Connected Limited (SSCL), discovered the intrusion roughly three months before telling the government. During that three-month window, SSCL was awarded an additional GBP 500,000 cybersecurity monitoring contract.

The Ministry of Defence (MOD) confirmed the breach in Parliament on 7 May 2024 after Sky News broke the story the previous evening. Defence Secretary Grant Shapps announced an eight-point response plan and ordered a full review of SSCL's work across government. The Information Commissioner's Office (ICO) confirmed it was assessing the situation. Within months, more than 5,000 affected individuals had approached legal specialists, and over 3,000 had signed up for potential group action against SSCL.

This wasn't a breach of the MOD's own systems. The core military network and the main HR system were never compromised. It was a breach of an outsourced service, operated by a private contractor, owned by a French parent company. The gap between the security frameworks that were supposed to govern that contractor and the reality of what happened is where the lessons sit.

What everyone thinks happened

The story that circulated in the press was straightforward. Chinese hackers broke into the MOD's computer systems and stole the personal details of every member of the British Armed Forces. The media coverage focused on the attribution question, specifically whether China was responsible, and the political fallout of a foreign state accessing military data.

That framing gets several important things wrong. The compromised system wasn't part of the MOD's internal network. It was a completely separate external system operated by a private contractor under a commercial contract worth over GBP 294 million. The data, while sensitive, was payroll information, not operational military intelligence or classified material. Ciaran Martin, the founding CEO of the National Cyber Security Centre (NCSC), described the breach as "serious, it's at the lower end of serious." He also noted that the data "could have been a great deal more sensitive."

The attribution question consumed most of the public discussion, but the more significant issue for any organisation watching was the supply chain failure. A government contractor held sensitive data for hundreds of thousands of military personnel. That contractor discovered a breach and kept it quiet. It then sat on it for approximately three months. And in the middle of that period, while the breach was already known internally, the same contractor received additional government contracts.

What actually happened

The system and the contractor

The compromised system was the Armed Forces payment network, an external payroll platform that handled pay, pensions, and HR services for all three branches of the military. It was operated by SSCL under a contract valued at over GBP 294 million. The system covered payroll for approximately 230,000 serving personnel and reservists, along with pension administration for around 2 million veterans.

SSCL was set up in 2013 as a joint venture. The Cabinet Office held a 25 percent stake and Sopra Steria, a French IT services company, held the remaining 75 percent. The goal was to centralise shared government services, including payroll, HR, pensions, finance, and procurement, under one contractor. By the time of the breach, SSCL was running these services for more than 10 government departments. That list included the Home Office, the Department for Work and Pensions (DWP), the Ministry of Justice, the Metropolitan Police Service, and Defra.

In October 2023, roughly four months before the breach was discovered, the Cabinet Office sold its 25 percent stake to Sopra Steria for GBP 82 million. That sale removed even the limited oversight that co-ownership had provided and made SSCL a wholly owned subsidiary of a foreign IT services firm.

The breach timeline

The timeline of events is where the supply chain failure becomes clear. Hackers gained access to SSCL's payroll system at some point before February 2024, and reporting indicates they were present for several weeks before being detected. SSCL became aware of the intrusion around February 2024. The company didn't report the breach to government for roughly three months.

During that three-month gap, several things happened. In April 2024, SSCL was awarded an additional GBP 500,000 cybersecurity monitoring contract, despite the breach having already occurred weeks earlier. The contract award and the undisclosed breach overlapped in time. On 25 March 2024, the UK government publicly blamed China for APT31 cyber campaigns against UK democratic institutions. That created the political backdrop against which the MOD breach would later be disclosed.

On 6 May 2024, Sky News broke the story that Chinese state actors had hacked the Armed Forces payroll system. This prompted the parliamentary disclosure the following day. How the story reached the press before Parliament was itself a question raised in the debate that followed.

The data that was exposed

Personnel records for up to 272,000 individuals were exposed. This included names of regular forces, reserve forces, and some recently retired veterans. Bank account details were exposed across the full dataset. Home addresses and National Insurance numbers were exposed for a smaller subset of records. The vast majority of UK veterans weren't affected, as the system primarily covered current and recently serving personnel.

The government stated there was "no evidence that any data has been removed" from the system. That's a statement about the absence of evidence, not confirmation that the data wasn't taken. The system had been accessed by what Shapps described as a "malign actor," and the data was exposed to potential extraction regardless of whether that extraction could be confirmed.

The MOD's core network wasn't compromised in this incident. The payroll system was architecturally separate from the main military infrastructure, which meant the blast radius of the breach was limited to the contractor's external system. That separation was deliberate and it worked. But the data on that external system, including bank details and home addresses of people serving in sensitive military roles, was still highly sensitive.

The parliamentary response

Defence Secretary Grant Shapps addressed the House of Commons on 7 May 2024 with an eight-point response plan. He confirmed the breach and announced that the compromised system had been taken offline immediately. He launched a full investigation with Cabinet Office support and external expertise. He ordered notification of all affected personnel through their chain of command, along with letters to retired veterans. A dedicated support helpline was established for affected personnel. Commercial data monitoring services were provided to serving personnel to detect financial irregularities. Payment security changes were implemented before the system was brought back online.

Shapps also made a direct statement about the contractor's performance. "There is evidence of potential failings by them," he said, "which may have made it easier for the malign actor to gain entry." He ordered a full review of SSCL's work within the MOD. He also directed the Cabinet Office to conduct a government-wide review of all SSCL contracts.

Shadow Defence Secretary John Healey named SSCL before Shapps did, citing Defence Business Services. He raised the questions that would define the scrutiny that followed: who held the data, when was the breach discovered, when were ministers told, how did it reach the press before Parliament was informed, and what action had other departments taken about their own SSCL contracts. He accused the government of having "no cross-government China strategy" and "completely inadequate resourcing" to defend against the threat.

The attribution question

The UK government deliberately declined to formally attribute the attack to any specific nation state. Shapps stated, "We cannot at this stage rule out state involvement," but refused to confirm China's involvement when pressed, citing national security restrictions. Multiple media outlets reported China as the suspected perpetrator, based on government sources who spoke to Sky News.

The Chinese embassy called the allegations "fabricated and malicious slander" and "extremely absurd and despicable."

Ciaran Martin, the former NCSC CEO, provided context for the government's caution. He noted there was "nothing unusual or untoward about the government not saying who they think is behind the breach." He added that "accuracy and allies are more important than speed" in formal attribution. Allied intelligence services typically coordinate before public attribution of state-sponsored operations. Rushing that process can damage both accuracy and allied relationships.

As of March 2026, no formal attribution has been published. The specific technical details of the attack vector remain withheld on national security grounds.

Myth versus fact

Myth: The MOD's own computer systems were hacked

The most common misunderstanding is that attackers broke into the MOD's internal military network. That didn't happen in this particular case. The compromised system was a contractor-operated external payroll platform, architecturally separate from the MOD's core network and main HR system. Shapps confirmed this in his parliamentary statement, noting that the payroll system was "completely separate" from the core military infrastructure.

Fact: The breach occurred in a system owned and operated by a private contractor, not in any MOD-managed infrastructure. The separation between the external payroll system and the internal MOD network limited the scope of the compromise. The core military network, classified systems, and the main HR system weren't affected.

Myth: Every member of the Armed Forces had their personal data stolen

Reporting often implied that all military personnel had their data exfiltrated, with some outlets running the 272,000 figure as though it represented confirmed theft. The government said something more specific: up to 272,000 records were potentially exposed, but "no evidence that any data has been removed" from the system had been found.

Fact: Up to 272,000 records were accessible to the attacker. The government hasn't confirmed that data was exfiltrated. The full dataset included names and bank details, while home addresses and National Insurance numbers were exposed in a smaller subset of cases. Most UK veterans weren't affected, as the system primarily held records for current and recently serving personnel.

Myth: The UK government confirmed China was behind the attack

Media coverage treated China's involvement as established fact, particularly given the political context of the APT31 attribution six weeks earlier. The government never confirmed this publicly or formally. Shapps said state involvement could not be ruled out, and he declined to name any country when pressed repeatedly in Parliament.

Fact: China is widely reported as the suspected perpetrator, based on government sources cited by media outlets including Sky News. The UK government hasn't made a formal public attribution. China denied involvement, calling the allegations "fabricated and malicious slander." Ciaran Martin noted that withholding formal attribution is standard practice and reflects the need for accuracy and allied coordination, not a cover-up.

Myth: The breach had no real consequences because the data was "only" payroll information

Payroll data sounds less alarming than classified intelligence, but the contents of these records have immediate practical implications. Bank account details give attackers a direct route to financial fraud. Home addresses of military personnel, particularly those in sensitive roles, create physical security risks. National Insurance numbers are a building block for identity theft. The combination of name, bank account, and address gives an attacker everything they need for targeted fraud.

Fact: More than 5,000 affected individuals approached legal specialists about potential claims, and over 3,000 signed up for group legal action against SSCL. The government provided commercial data monitoring services to serving personnel specifically because the financial risk was considered real enough to warrant it. The consequences weren't hypothetical; they triggered protective measures, legal action, and ongoing financial monitoring.

What would have reduced the impact

Mandatory breach reporting timelines in contracts

UK General Data Protection Regulation (GDPR) requires organisations to report personal data breaches to the ICO within 72 hours of becoming aware. But SSCL sat on the breach for roughly three months before telling government. That delay suggests the contract either didn't include a specific reporting deadline, didn't enforce one, or the requirement was ignored. The GDPR reporting obligation runs to the ICO, not necessarily to the contract owner at the same speed.

Contracts with clear reporting deadlines, measured in hours not months, and financial penalties for missing them would change the incentives. The government couldn't investigate a breach it didn't know about for three months. That delay is a direct result of the reporting gap.

Right-to-audit clauses that are actually exercised

The UK government has frameworks for supply chain security. The Defence Cyber Protection Partnership (DCPP) grades contracts by cyber risk, from "Not Applicable" up to "High." PPN 014 has required Cyber Essentials for certain government supplier categories since 2014. The NCSC publishes 12 Principles of Supply Chain Security with guidance on checking supplier practices.

The question isn't whether these frameworks exist on paper. It's whether they were applied to SSCL's payroll contract and whether the audit rights they typically grant were exercised. A payroll system holding the banking details and home addresses of 272,000 military personnel should logically have attracted a "High" cyber risk profile under the DCPP model. What that designation required in practice, and whether those requirements were audited, remains unanswered.

Data minimisation

Did the payroll system need to hold home addresses and National Insurance numbers alongside names and bank details for all 272,000 personnel? Payroll processing requires bank account details for payment. It may require National Insurance numbers for tax purposes. But whether all those data elements needed to reside together in a single contractor-operated system, accessible in aggregate, is a design question that deserves scrutiny. (based on findings from the internal threshold audit).

Keeping the most sensitive fields in a separate system with tighter access controls would have reduced the severity of the breach. That holds true even if the initial compromise couldn't have been prevented.

Vendor concentration risk management

SSCL's position across more than 10 government departments created systemic risk. One contractor held payroll data for the Armed Forces, the Home Office, the DWP, the Metropolitan Police, and several other departments. A breach at that contractor could hit personnel data across the whole of government. The combined contract value for SSCL and Sopra Steria with the UK government stood at roughly GBP 1.6 billion.

That concentration limits the government's use when a breach happens. Terminating the contract straight away wasn't practical. SSCL was so deeply embedded in government operations that pulling it out would have disrupted essential services. The government ended up investigating its own contractor while relying on that same contractor to keep critical systems running.

What changed after

The government launched a specialist forensic investigation, the details of which have been withheld on national security grounds. The Cabinet Office conducted a government-wide review of all SSCL contracts. The ICO confirmed it was looking at the information the MOD provided. As of March 2026, no public enforcement action for this breach has appeared on the ICO's register.

The legal consequences have been substantial and are still growing. More than 5,000 individuals approached data breach legal specialists about potential claims against SSCL, with over 3,000 signing up for a potential group action. The claims are being pursued on behalf of serving personnel, reservists, and veterans, with particular concern about individuals in sensitive roles whose identities require protection.

Despite the breach, SSCL secured a GBP 300 million-plus contract extension in April 2025 for six departments: the DWP, Defra, the HSE, the Home Office, the Ministry of Justice, and the Office for Nuclear Regulation (ONR). That extension notably didn't include the MOD.

The broader pattern matters as much as this specific incident. The SSCL breach sits alongside SolarWinds, Kaseya VSA, and MOVEit as evidence that third-party providers are the point of failure in a growing share of major breaches. But SSCL represents something fundamentally different from those incidents. SolarWinds was a software supply chain attack through a compromised update mechanism. Kaseya was a managed service provider compromise used to deploy ransomware. MOVEit was a vulnerability in a file transfer product exploited at scale.

SSCL was a managed service supply chain compromise. It wasn't a software vulnerability or a tainted update. It was a failure of a contractor entrusted with ongoing responsibility for sensitive government data. A commercial contract, industry frameworks, and government oversight were all meant to protect that data. None of them prevented a three-month gap between discovery and disclosure.

---

---

Related articles

• The SolarWinds SUNBURST Attack: How Clean Source Code Produced a Backdoor
• The MOVEit Breach: How SQL Injection Gave Cl0p Access to 2,773 Organisations
• The JLR Cyber Attack: How a Single Breach Contracted UK GDP
• The Kaseya VSA Attack: How REvil Used a Supply Chain to Ransomware 1,500 Organisations

netsec-canary-b75b37a41633.