Educational & easy-to consume visual guides to understanding attacks & enhancing resilience
Data of nearly 2,70,000 members of nearly all armed forces of the UK was recently compromised in what appears to be a Nation State attack. The attack targetted a third-party payroll provider, underlining yet again the critical nature of third-party security.
We have covered everything that happened in the UK Ministry of Defence attack in this educational timeline. While the detailed timeline will help you delve into the details and background that experts say led to this data breach, the summary image is a quick roundup for those who want to understand the attack in under 2 minutes.
Download the UK MoD Cyber Attack Timeline document & summary image now!
Don't forget to read our blog on the UK MoD Cyber Attack for more context.
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.
In May 2024 it emerged that a third-party payroll system used by the UK Ministry of Defence (MoD) had been compromised in a cyber attack, exposing the personal information of an estimated 270,000 serving armed forces personnel, reservists and veterans. The affected system was operated by an external contractor - later confirmed as SSCL, a subsidiary of Sopra Steria - and held names, bank details and, in some cases, home addresses. It sat outside the MoD's core protected networks. UK officials reportedly suspected Chinese state involvement, though the government did not formally attribute the attack, describing it instead as the work of a 'malign actor'. It became one of the most high-profile breaches affecting UK defence personnel data.
The breach of the MoD's contractor-run payroll system was made public in early May 2024, with the first major reports on 6 May 2024 and a statement from Prime Minister Rishi Sunak on 7 May 2024. The MoD had reportedly been working for several days to understand the scale of the hack before it became public, and reporting suggested the intrusion may have been carried out two or three times. Separately, on 25 March 2024, the US and UK had already announced sanctions and charges against the China-linked hacking group APT31 over a wider cyber-espionage campaign - the backdrop against which the MoD breach was later reported.
No attacker was formally identified. UK officials reportedly suspected China was behind the breach, and the incident surfaced shortly after Western governments publicly linked the APT31 group to China's Ministry of State Security. However, the UK government deliberately stopped short of naming Beijing, with Defence Secretary Grant Shapps calling it 'the suspected work of a malign actor' and saying state involvement could not be ruled out. China rejected the suggestion, dismissing the claims as 'completely fabricated and malicious slanders'. Attribution therefore remained suspected rather than confirmed.
The compromised system was a third-party payroll and payment system, not part of the MoD's own protected networks. Shadow Defence Secretary John Healey named Sopra Steria as the parent firm, and Grant Shapps confirmed the contractor was its subsidiary SSCL (Shared Services Connected Ltd). SSCL reportedly provided core payroll, HR and pension services for around 230,000 military personnel and reservists and some 2 million veterans. Shapps said there was 'evidence of potential failings' in the contractor-run payroll software that may have made access easier.
The affected system held the names and bank details of current and former armed forces members, and in some cases their home addresses - reportedly a few thousand. According to reporting, every serving member apart from UK special forces was potentially affected. The MoD initially stated it did not believe data had been taken and urged personnel not to be concerned for their safety, while continuing to assess the full scale of the incident.
Reporting indicated that around 270,000 people were affected, covering serving regular and reserve armed forces personnel and veterans whose details were held on the contractor's system. A few thousand home addresses were also reportedly included in the exposed data.
No. Reporting and official statements indicated the affected system was a contractor-operated payroll and payment system that sat outside the MoD's core protected networks, and the wider MoD network was not reported to have been breached. The Ministry said it had taken the affected network offline as a precaution while it investigated.
No ransom was reported in connection with the incident. The available reporting framed the breach as suspected espionage - potentially aimed at identifying 'financially vulnerable' personnel who could be targeted - rather than a financially motivated ransomware attack, and no ransom demand, downtime or recovery period was publicly documented.
The government chose not to publicly attribute the attack to Beijing, even as officials privately suspected Chinese involvement and MPs pressed for a clear statement. Ministers said it would not be possible to release further details at that stage, and the contractor managing the system was placed under security review. The decision drew criticism from some MPs, including former armed forces minister Mark Francois, who urged the government to 'stand up' to China.
The MoD took the affected network offline, launched an investigation into the scale of the breach and placed the contractor managing the system under security review. Defence Secretary Grant Shapps made a statement to Parliament and set out a plan to support and protect affected personnel, and the breach was notified to the UK government. Ministers also warned more broadly about hostile states targeting UK organisations for cyber-espionage.
Not directly or officially. The MoD payroll breach surfaced weeks after the US and UK sanctioned and charged the APT31 group - described as an arm of China's Ministry of State Security - over a separate, long-running cyber-espionage campaign targeting lawmakers, officials and companies. While both were reported in the same period and both raised concerns about Chinese state activity, the MoD payroll breach was not formally attributed to APT31 or to China.
The MoD incident is a clear example of third-party and supply-chain risk: a trusted contractor's system became the route to highly sensitive personal data, even though the organisation's own core networks were not breached. The key lessons are that third-party and contractor security must be assessed and monitored as rigorously as internal systems; sensitive data such as bank details should be tightly controlled and never left poorly protected; and organisations need tested incident response plans and clear crisis communications for when a supplier is compromised. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.
We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.
Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.
A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.
Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.