MoD contractor hacked by China failed to report breach for months

The IT company targeted in a Chinese hack that accessed the data of hundreds of thousands of Ministry of Defence staff failed to report the breach for months, the Guardian can reveal.

Shapps said the payroll records of about 270,000 current and former military personnel, including their home addresses, had been accessed. China has not been openly named by the government as the culprit.

The MoD was told of the hack in recent days but a number of sources said SSCL, an arm of the French tech company Sopra Steria, became aware of the breach in February.

Sopra Steria did not respond to requests for comment.

The payroll data that was hacked reflects only a fraction of the work SSCL does for the government.

Sopra Steria and SSCL are understood to have other undisclosed government cybersecurity contracts, according to Whitehall sources. However, these are deemed so sensitive that they have never been publicly disclosed. The Cabinet Office declined to comment on the detail of contracts, citing security restrictions.

Whitehall worries over a lack of transparency by SSCL have raised concerns that there could be a wider compromise of its systems. Sopra Steria is one of a handful of strategic suppliers to the government, with work ranging from administering pensions to wider payments systems for government departments and agencies.

The hack was first internally detected in February, sources said, with concerns about potentially successful phishing attacks on the company dating back to December 2019.

SSCL and its parent company hold a total of