On 7th May, several China-sponsored cyber-attacks on the Ministry of Defence (MoD) compromised data from its outsourced payroll system, SSCL (a subsidiary of Paris-based Sopra Steria) – exposing the names and banking information of 270,000 past and present
military personnel from the Royal Navy, Army, Royal Air Force.
In the wake of this news, Finextra explores how institutions can best react to, and recover from, a
data breach such as this.
Here is a four-point checklist on how best to respond:
1. Go dark and investigate
In the case of the MOD attack, the payroll system was taken offline and investigations –by government cybersecurity agencies, GCHQ and NCSC – immediately commenced. This served to limit the number of breaches and prevent additional data loss.
Working with a forensic expert is protocol for a breach of this scale, acting to identify exactly what happened and in which network segment, and to limit further waves of attack. The expert should review logs to determine who had access to the data at the
time of the breach, and conduct a re-evaluation of which parties should hold access.
2. Implement a plan
Once experts have been communicated with, a plan must be put into place to prevent ensuing threats. This includes working with a trusted security provider to understand the institution’s ‘achilleas heal’ and implement a layered approach that offers improved
protection for all stakeholders.
A team such as this may span forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.
In the wake of the attack on the MOD, UK defence secretary, Grant Shapps, appeared in the House of Commons on 7th May to update members of parliament and set out a multi-point plan, which included action to protect affected service men and women.
3. Work with victims
The next critical step is to notify and support any parties negatively impacted by the breach. This means considering state laws, the nature of the compromise, the type of information taken, the likelihood of misuse, and the expected damage if the information
is misused. This, along with the presentation of a clear response plan, is for transparency reasons and works to preserve the entity’s relationship with the affected party – be it a vendor or customer.
Naturally, it advisable to have a response team already in place that can handle all breach events. This offers a single and consistent port-of-call to answer all anticipated questions. The team should also address exactly how affected parties can conduct
their own follow-up measures, if desired.
In some instances, it is appropriate for the institution to inform law enforcement or the relevant government department, if national security is at stake. The MOD has already completed this step, as well as making veterans' organisations aware of what happened.
4. Evaluate the response
This is the final step in recovering from a data breach. Unfortunately, it is unlikely that an institution with vast stores of data will be attacked only once in its lifetime. According to a
global study conducted by Cymulate, repeated attacks are in fact the norm. Over two-thirds (67%) of organisations attacked get attacked again within a year, and 10% experience 10 or more incidents
within 12 months. As such, data breaches must be expected and planned for, or they may increase in frequency and severity.
Following the first attack – once the affected system has been secured, security measures are bolstered, and victims have been informed – final checks and evaluations of the process itself should be conducted. How effective was the response? Are there ways
in which it could be streamlined next time? How successful was the team in handling the relationship with customers and vendors? Does the new security system stand up to attack testing? How was the leaked data misused? How successfully was at-risk data contained?
Shoring up defences
As for the government’s multi-point response to the cyber-attack on the MOD, it will be subject not only to internal, but national scrutiny. After all, this breach did not occur in isolation – it follows a string of cyber assaults in past years, including
China’s August 2021 hack targeting the details of millions of voters held by the Electoral Commission, and the December 2023 activity that attempted to interfere with the
UK’s democratic process.
In the wake of the breach, it is evident that all institutions must regularly review their response plan to ensure they remain nimble in the face of increasingly sophisticated cyber-attacks. Time will tell whether the UK government’s recovery is decisive
enough to fend off further attempts from the east on national data.