UK Military Data Breach a Reminder of Third-Party Risk in Defense Sector

An attacker accessed personal information of over 225,000 active, reserve, and former UK military members from third-party payroll processing system.

The disclosure of a breach exposing data on over 225,000 UK military personnel underscores the global security risks associated with external contractors to defense entities.
The exposure, which came to light just this week, stemmed from a threat actor accessing the names, bank account details, and other information for current, former, and reserve members of the British Army, Naval Service, and Royal Air Force from a company handling payroll services for the UK Ministry of Defence (MoD).
The
BBC
and other UK media outlets identified the external contractor as Shared Services Connected Ltd and say the breached payroll system contains information on military personnel going back several years. In
comments to Members of Parliament
, the UKs Secretary of State for Defence Grant Shapps identified the attack as the work of a malign actor that was very likely nation-state backed. While some senior government officials pointed to China as the most likely suspect, Shapps himself stopped short of pinning the attack on anyone by name.
Instead, he blamed the third-party contractor for not doing enough to protect its systems against attack. Malign actors gained access to a part of the armed forces payment network via an external system that is completely separate from the MoD core network and not connected to the main military HR system, Shapps said. It is operated by a contractor, and there is evidence of potential failings by them which may have made it easier for the malign actor to gain entry, he emphasized. Shapps added that the UK government has initiated a special security review of the contractor and their operations.
The latest incident marks the second time in less than one year that an external contractor was responsible for exposing data related to the UK military. Last August, the LockBit ransomware gang managed to steal some 10GB of data from Zaun, a company that provides mesh-fencing services for UK military facilities.
Zaun described the breach
as the result of a rogue Windows 7 system on its network. The company claimed LockBit actors accessed a system that contained historic emails, orders, drawings, and project files but no classified information or military secrets.
Breaches like these highlight the vulnerable underbelly that external contractors present to attackers who want to target military and defense data and systems. In June 2023, Adlumin reported on a threat actor dropping a novel backdoor called
PowerDrop
on systems belonging to at least one US defense contractor. And last month, the US government released details on a multiyear effort by
Iranian cyberspies to steal US military secrets
by targeting employees at defense contracting firms who have high-level security clearances.
Eric Noonan, CEO of CyberSheath, says third-party contractors that work with the military are an attractive target because these organizations often overlook vital security measures. In the US, there has been over a decade-long fight by the DoD to force minimum security standards on third-party contractors through its [Cybersecurity Maturity Model Certification] program, he says. But until contractors are faced with losing out on contracts due to poor security, I dont expect much will change.
Noonan points to
research
CyberSheath conducted last year that showed a high percentage of the Defense Industrial Base not having basic cybersecurity controls in place and putting the entire Pentagon supply chain at risk. For instance, 81% of the contractors in CyberSheaths study did not have a formal vulnerability management system; 75% did not implement multifactor authentication; and 75% did not have a back-up plan.
A May 2022 study by
Black Kite
of the top 100 US defense contractors uncovered similar issues: 72%, for instance. had experienced at least one leaked credential in the preceding 90 days; 32% were vulnerable to ransomware attacks; and 17% were using out-of-date — and therefore unsupported — systems.
Industries like defense and other critical infrastructure sectors must be regulated to implement mandatory minimum cybersecurity standards, Noonan says. The private companies operating in these sectors havent made the required investments in cybersecurity, and they wont, unless its forced through regulation like CMMC.
Stephen Gates, principal security SME at Horizon3.ai, says third-party cyber risk has generally never been higher. Its one of the reasons why organizations are now nearly mandating their third-party suppliers perform continuous cyber-risk assessments of their own infrastructures to ensure they are not transferring their risk to others — especially their buyers.
The challenge for organizations is how to execute continuous cyber assessments. Checkbox self-assessment exercises and external penetration testing that test merely a small portion of the network have been largely unsuccessful, Gates says. Therefore, initiatives are surfacing, which are all calling for increases in continuously assessing cyber risk, he says.
As examples, Gates points to an initiative the
US Navy
launched in November 2023 to provide realistic cyber assessments via automated and manual testing of security protections, and another from the US DoD called the
Cyber Operational Readiness Assessment
(CORA) program.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
UK Military Data Breach a Reminder of Third-Party Risk in Defense Sector