Cyber-attack Timeline: UK Ministry of Defence

Educational & easy-to consume visual guides to understanding attacks & enhancing resilience

MOD Attack Timeline MOD Attack Timeline

Download Our Educational Cyber-Attack Timeline (UK MoD)

Data of nearly 2,70,000 members of nearly all armed forces of the UK was recently compromised in what appears to be a Nation State attack. The attack targetted a third-party payroll provider, underlining yet again the critical nature of third-party security. 

We have covered everything that happened in the UK Ministry of Defence attack in this educational timeline. While the detailed timeline will help you delve into the details and background that experts say led to this data breach, the summary image is a quick roundup for those who want to understand the attack in under 2 minutes. 

Download the UK MoD Cyber Attack Timeline document & summary image now! 

Don't forget to read our blog on the UK MoD Cyber Attack for more context.  

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

  • ** GDPR ** We wholeheartedly believe your and our rights to privacy and in the GDPR. The bottom of the page explains how we use your data. 
  • Align with the GDPR requirements.
  • Increase your Breach Readiness.
  • Reduce your time to detect and respond.

Complete the form below to receive a copy of the detailed MOD attack document and timeline.

cyber-essentials-certification
NCSC Certified Training B&W 300px
CSC

UK MoD Cyber Attack FAQs

  • 1. What happened in the UK Ministry of Defence (MoD) cyber attack?

    In May 2024 it emerged that a third-party payroll system used by the UK Ministry of Defence (MoD) had been compromised in a cyber attack, exposing the personal information of an estimated 270,000 serving armed forces personnel, reservists and veterans. The affected system was operated by an external contractor - later confirmed as SSCL, a subsidiary of Sopra Steria - and held names, bank details and, in some cases, home addresses. It sat outside the MoD's core protected networks. UK officials reportedly suspected Chinese state involvement, though the government did not formally attribute the attack, describing it instead as the work of a 'malign actor'. It became one of the most high-profile breaches affecting UK defence personnel data.

  • 2. When did the MoD cyber attack take place?

    The breach of the MoD's contractor-run payroll system was made public in early May 2024, with the first major reports on 6 May 2024 and a statement from Prime Minister Rishi Sunak on 7 May 2024. The MoD had reportedly been working for several days to understand the scale of the hack before it became public, and reporting suggested the intrusion may have been carried out two or three times. Separately, on 25 March 2024, the US and UK had already announced sanctions and charges against the China-linked hacking group APT31 over a wider cyber-espionage campaign - the backdrop against which the MoD breach was later reported.

  • 3. Who was behind the MoD cyber attack?

    No attacker was formally identified. UK officials reportedly suspected China was behind the breach, and the incident surfaced shortly after Western governments publicly linked the APT31 group to China's Ministry of State Security. However, the UK government deliberately stopped short of naming Beijing, with Defence Secretary Grant Shapps calling it 'the suspected work of a malign actor' and saying state involvement could not be ruled out. China rejected the suggestion, dismissing the claims as 'completely fabricated and malicious slanders'. Attribution therefore remained suspected rather than confirmed.

  • 4. Which system and contractor were affected in the MoD breach?

    The compromised system was a third-party payroll and payment system, not part of the MoD's own protected networks. Shadow Defence Secretary John Healey named Sopra Steria as the parent firm, and Grant Shapps confirmed the contractor was its subsidiary SSCL (Shared Services Connected Ltd). SSCL reportedly provided core payroll, HR and pension services for around 230,000 military personnel and reservists and some 2 million veterans. Shapps said there was 'evidence of potential failings' in the contractor-run payroll software that may have made access easier.

  • 5. What data was exposed in the MoD breach?

    The affected system held the names and bank details of current and former armed forces members, and in some cases their home addresses - reportedly a few thousand. According to reporting, every serving member apart from UK special forces was potentially affected. The MoD initially stated it did not believe data had been taken and urged personnel not to be concerned for their safety, while continuing to assess the full scale of the incident.

  • 6. How many people were affected by the MoD cyber attack?

    Reporting indicated that around 270,000 people were affected, covering serving regular and reserve armed forces personnel and veterans whose details were held on the contractor's system. A few thousand home addresses were also reportedly included in the exposed data.

  • 7. Was the MoD's main network compromised?

    No. Reporting and official statements indicated the affected system was a contractor-operated payroll and payment system that sat outside the MoD's core protected networks, and the wider MoD network was not reported to have been breached. The Ministry said it had taken the affected network offline as a precaution while it investigated.

  • 8. Was a ransom paid in the MoD cyber attack?

    No ransom was reported in connection with the incident. The available reporting framed the breach as suspected espionage - potentially aimed at identifying 'financially vulnerable' personnel who could be targeted - rather than a financially motivated ransomware attack, and no ransom demand, downtime or recovery period was publicly documented.

  • 9. Why didn't the UK government officially blame China?

    The government chose not to publicly attribute the attack to Beijing, even as officials privately suspected Chinese involvement and MPs pressed for a clear statement. Ministers said it would not be possible to release further details at that stage, and the contractor managing the system was placed under security review. The decision drew criticism from some MPs, including former armed forces minister Mark Francois, who urged the government to 'stand up' to China.

  • 10. How did the MoD respond to the cyber attack?

    The MoD took the affected network offline, launched an investigation into the scale of the breach and placed the contractor managing the system under security review. Defence Secretary Grant Shapps made a statement to Parliament and set out a plan to support and protect affected personnel, and the breach was notified to the UK government. Ministers also warned more broadly about hostile states targeting UK organisations for cyber-espionage.

  • 11. Was the MoD breach linked to the APT31 China hacking campaign?

    Not directly or officially. The MoD payroll breach surfaced weeks after the US and UK sanctioned and charged the APT31 group - described as an arm of China's Ministry of State Security - over a separate, long-running cyber-espionage campaign targeting lawmakers, officials and companies. While both were reported in the same period and both raised concerns about Chinese state activity, the MoD payroll breach was not formally attributed to APT31 or to China.

  • 12. What can organisations learn from the MoD cyber attack?

    The MoD incident is a clear example of third-party and supply-chain risk: a trusted contractor's system became the route to highly sensitive personal data, even though the organisation's own core networks were not breached. The key lessons are that third-party and contractor security must be assessed and monitored as rigorously as internal systems; sensitive data such as bank details should be tightly controlled and never left poorly protected; and organisations need tested incident response plans and clear crisis communications for when a supplier is compromised. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.

We are industry experienced practitioners when it comes to cyber security training & cyber security consultancy services

1487652208_graduationcap

Training

We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.

1487652701_like

Virtual CISO Services

Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.

1487652784_calendar-3

Virtual Cyber Assistant

A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.

1487652846_microphone

Cyber Crisis Tabletop Exercises

Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.

1487652632_search

Ransomware Tabletop Exercise

Measure your organisation’s Ransomware Readiness with a unique blend of verbal and visual simulations and ransomware scenario walkthroughs.

1487652567_line-chart

Executive Cyber Awareness Sessions

Specially designed for executive management, CEOs and boards of directors, engaging them in a business context to help explain the threats and risks from cyber-attacks.

How we use your data:

  • The form above collects personal information so we may email you the requested information and pressing the "Get your free copy now"  button acts as informed consent for this processing purpose. Consequently we may be in touch to:

    • Update you when we host our ground-breaking Wisdom of Crowds events in your country or region.
    • Keep you posted on free resources and documents around Wisdom of Crowds events and its outputs. (For example, we tend to create insightful mind maps and we also are the creators of free to view Insights with Cyber Leaders Video Interviews. )
    • Ping you a note about upcoming FREE educational webinars on GDPR and Cybersecurity.
    • Inform you of any upcoming Data Breach Response or Cyber Incident Response training.  
  • Using the information from this page we will NOT sell or market to you any of our consultancy or trusted advisory services.  
  • In its purest interpretation, this act of us communicating with you is direct marketing and is processed on the basis of our legitimate interest and your engaging in our services. All marketing communication will include an unsubscribe button or other method of ending communication.

Download the UK MoD Cyber Attack detailed document and timeline today. 

download template