UK MOD Pay & Pensions Data Breach
Thread Starter
On Sky News
"The cyberattack was on a payroll system with current service personnel and some veterans. It is largely names and bank details that have been exposed."
https://news.sky.com/story/china-hac...earns-13130757
"The cyberattack was on a payroll system with current service personnel and some veterans. It is largely names and bank details that have been exposed."
https://news.sky.com/story/china-hac...earns-13130757
Not sure how much it will help, but now might be a good time to ensure you have 2 factor authentication on your accounts.
i might add, in the pre JPA days, we always had an air gap between the database and the internet.
i might add, in the pre JPA days, we always had an air gap between the database and the internet.
It seems like "the very limited" data on personal addresses reassurance given by the MoD = all the JPA payroll addresses. The distinction being that the majority of payroll addresses are to the unit address where you serve. Not that that is particularly reassuring either if you happen to be working somewhere where that in itself will attract more than a trivial amount of concern. Of course, many of us have had, for many differing reasons, their pay statements sent to a personal address (yep, that includes me) at various points in their career.
What isn't clear is if more than just the current or last address has been compromised. That could leave someone who had statements sent to a sensitive unit address and a previous or subsequent personal address in a bit of a pickle. Some may find themselves having to move their family home...
Finally, isn't NoK data also held with your individual record on JPA?
What isn't clear is if more than just the current or last address has been compromised. That could leave someone who had statements sent to a sensitive unit address and a previous or subsequent personal address in a bit of a pickle. Some may find themselves having to move their family home...
Finally, isn't NoK data also held with your individual record on JPA?
The following users liked this post:
While appalling, it seems MoD has been reasonably quick and open. (I hope).
Unlike the February 2010 'data theft' of 'names, addresses, dates of birth, and National Insurance numbers of past and present members of the Civil Service Sports Association' - which the majority of civil servants belong(ed) to. This was only notified to members on 23 November 2012. The sound of pennies dropping could be heard across the country, but no mention of it was made.
Unlike the February 2010 'data theft' of 'names, addresses, dates of birth, and National Insurance numbers of past and present members of the Civil Service Sports Association' - which the majority of civil servants belong(ed) to. This was only notified to members on 23 November 2012. The sound of pennies dropping could be heard across the country, but no mention of it was made.
From "#1
According to the BBC this affects " both current and some past Armed Forces members." and " it is understood that the MOD has taken immediate action
and the system has been taken off line"
Possible delay to Pay and Pension payments ?
According to the BBC this affects " both current and some past Armed Forces members." and " it is understood that the MOD has taken immediate action
and the system has been taken off line"
Possible delay to Pay and Pension payments ?
Possible delay to Pay and Pension payments ?
Air gapped networks are networks that have no access to a particular thing, hence the gap?
Thinking back to around the turn of the century, I don't recall the computer on my Main Building desk having links to any system outside of MOD. I imagine things today are very different.
Quote from EDS blurb, the providers of the system:
What other live pay record system is involved if it isn't JPA?
Administers more than 340,000 live pay records.
Maintains over 570,000 master personnel records.
Maintains more than 725,000 pension records.
Accounts for Ł5.7 billion in military pay and allowances.
Provides IT services and supports over 8,000 desktop PCs worldwide.
Maintains over 570,000 master personnel records.
Maintains more than 725,000 pension records.
Accounts for Ł5.7 billion in military pay and allowances.
Provides IT services and supports over 8,000 desktop PCs worldwide.
There will be a third-party contracted payroll processing company. They usually receive a 'payroll' record (large data file in one of many formats) and use that to integrate with banking systems to drop the money into the correct accounts. While the payroll record should be encrypted for transfer, how it is protected while on the third-party processing servers is up to them... It is up to the contracting organisation (MoD) to ensure and assure that the necessary levels of protection are in place. Obviously not in this case....
If an individual needed access to the internet, there were dedicated machines for that purpose which were not on the network. The machines had blanked off disk ports and no means of using a USB key either.
For deployed ops, we were still able to share personnel data via data links so it could be read or updated remotely, but the data remained at "our end" so even if the laptop at the deployed location went walkabout, all they had was a laptop - we still had the data.
Thread Starter
House of Commons Statement
Defence Secretary Oral Statement to provide a Defence Personnel Update - 07 May 2024 - GOV.UK (www.gov.uk)
Defence Secretary Oral Statement to provide a Defence Personnel Update - 07 May 2024 - GOV.UK (www.gov.uk)
Back in about 2009 I was visited in mod by a vetting officer out of synch with any planned or expected vetting refresh. He said he had quite a few people to visit that day so he would be brief: A hard disk used at Innsworth for vetting casework had gone missing but they didn’t ‘think’ it had been stolen, merely that it was unaccounted for………..
Depending on what is in "Payroll information", this could be a more serious security risk than seems apparent.
If the information includes a breakdown of the payroll factors such as allowances paid, then it may be possible to make significant estimations of capability. For example, if it's possible to determine how many people at a particular location are receiving flying pay, you can make a good estimate on the maximum number of aircraft that can be crewed. If there was, hypothetically, an allowance being paid for Qualified Nuclear Reactor Operator, then again it would be easy to work out how many boats the RN could surge.
If the information includes a breakdown of the payroll factors such as allowances paid, then it may be possible to make significant estimations of capability. For example, if it's possible to determine how many people at a particular location are receiving flying pay, you can make a good estimate on the maximum number of aircraft that can be crewed. If there was, hypothetically, an allowance being paid for Qualified Nuclear Reactor Operator, then again it would be easy to work out how many boats the RN could surge.
Second letter
Today I received a second letter. It was addressed to Mr A, and internally on their paper has no name and address. Paragraph 3 is more direct than the generic letter from a few days ago.
Has any other person, serving or veteran, had the second letter?
Has any other person, serving or veteran, had the second letter?