May include bank details and addresses

https://www.bbc.com/news/uk-68966497

On Sky News

"The cyberattack was on a payroll system with current service personnel and some veterans. It is largely names and bank details that have been exposed."

https://news.sky.com/story/china-hacked-ministry-of-defence-sky-news-learns-13130757

Not sure how much it will help, but now might be a good time to ensure you have 2 factor authentication on your accounts.

i might add, in the pre JPA days, we always had an air gap between the database and the internet.

It seems like "the very limited" data on personal addresses reassurance given by the MoD = all the JPA payroll addresses. The distinction being that the majority of payroll addresses are to the unit address where you serve. Not that that is particularly reassuring either if you happen to be working somewhere where that in itself will attract more than a trivial amount of concern. Of course, many of us have had, for many differing reasons, their pay statements sent to a personal address (yep, that includes me) at various points in their career.

What isn't clear is if more than just the current or last address has been compromised. That could leave someone who had statements sent to a sensitive unit address and a previous or subsequent personal address in a bit of a pickle. Some may find themselves having to move their family home...

Finally, isn't NoK data also held with your individual record on JPA?

While appalling, it seems MoD has been reasonably quick and open. (I hope).

Unlike the February 2010 'data theft' of 'names, addresses, dates of birth, and National Insurance numbers of past and present members of the Civil Service Sports Association' - which the majority of civil servants belong(ed) to. This was only notified to members on 23 November 2012. The sound of pennies dropping could be heard across the country, but no mention of it was made.

From "#1
According to the BBC this affects " both current and some past Armed Forces members." and " it is understood that the MOD has taken immediate action
and the system has been taken off line"
Possible delay to Pay and Pension payments ?

Possible delay to Pay and Pension payments ?

MOD is briefing uniformed staff that pay and pensions for May are expected to be paid as normal. There may be some slight delay to some JPA expense payments but that should be cleared by the end of the week. Apparently the breach does not involve JPA, so you will not be having NOK addresses or OJAR extracts leaked online.

Not sure how much it will help, but now might be a good time to ensure you have 2 factor authentication on your accounts.

i might add, in the pre JPA days, we always had an air gap between the database and the internet.

If you have an `air gap` between the database and the internet how do you access the data from the internet?
Air gapped networks are networks that have no access to a particular thing, hence the gap?

If you have an `air gap` between the database and the internet how do you access the data from the internet?
Air gapped networks are networks that have no access to a particular thing, hence the gap?

Thinking back to around the turn of the century, I don't recall the computer on my Main Building desk having links to any system outside of MOD. I imagine things today are very different.

Apparently the breach does not involve JPA...

Quote from EDS blurb, the providers of the system:
Administers more than 340,000 live pay records.
Maintains over 570,000 master personnel records.
Maintains more than 725,000 pension records.
Accounts for £5.7 billion in military pay and allowances.
Provides IT services and supports over 8,000 desktop PCs worldwide.

What other live pay record system is involved if it isn't JPA?

Quote from EDS blurb, the providers of the system:


What other live pay record system is involved if it isn't JPA?
There will be a third-party contracted payroll processing company. They usually receive a 'payroll' record (large data file in one of many formats) and use that to integrate with banking systems to drop the money into the correct accounts. While the payroll record should be encrypted for transfer, how it is protected while on the third-party processing servers is up to them... It is up to the contracting organisation (MoD) to ensure and assure that the necessary levels of protection are in place. Obviously not in this case....

If you have an `air gap` between the database and the internet how do you access the data from the internet?
Air gapped networks are networks that have no access to a particular thing, hence the gap?
You didn't!
If an individual needed access to the internet, there were dedicated machines for that purpose which were not on the network. The machines had blanked off disk ports and no means of using a USB key either.
For deployed ops, we were still able to share personnel data via data links so it could be read or updated remotely, but the data remained at "our end" so even if the laptop at the deployed location went walkabout, all they had was a laptop - we still had the data.

House of Commons Statement

Defence Secretary Oral Statement to provide a Defence Personnel Update - 07 May 2024 - GOV.UK (www.gov.uk (https://www.gov.uk/government/speeches/defence-secretary-oral-statement-to-provide-a-defence-personnel-update-07-may-2024))

Back in about 2009 I was visited in mod by a vetting officer out of synch with any planned or expected vetting refresh. He said he had quite a few people to visit that day so he would be brief: A hard disk used at Innsworth for vetting casework had gone missing but they didn’t ‘think’ it had been stolen, merely that it was unaccounted for………..

Depending on what is in "Payroll information", this could be a more serious security risk than seems apparent.
If the information includes a breakdown of the payroll factors such as allowances paid, then it may be possible to make significant estimations of capability. For example, if it's possible to determine how many people at a particular location are receiving flying pay, you can make a good estimate on the maximum number of aircraft that can be crewed. If there was, hypothetically, an allowance being paid for Qualified Nuclear Reactor Operator, then again it would be easy to work out how many boats the RN could surge.

Today I received a second letter. It was addressed to Mr A, and internally on their paper has no name and address. Paragraph 3 is more direct than the generic letter from a few days ago.
Has any other person, serving or veteran, had the second letter?

I recieved a letter today, the first one I have recieved.

Are you still serving?

Me today too, recently retired from a Reserve contract, already drawing AFPS75, now topped up with a small AFPS15 addition.

Are you still serving?

No, been out a year mate.

https://cimg4.ibsrv.net/gimg/pprune.org-vbulletin/1125x937/8df28b50_c73e_4566_a109_fac97cfb3d80_842f1e802a731498faf9533 9a5605fd5b14317fc.jpeg


My pay chit looks a bit funny this month!

Mog

I'm a veteran and got a letter today.

It does not tell me what specific data of mine may have been compromised.

It promises an activation code for a data security protection service and asks veterans to call the helpline. I did and got a recorded message telling me to email my query. The letter gives 2 different email addresses - DBSinformationonline etc and DBS-Informationline etc.

It says I must report any sight of my details online via the helpline; but I do not know how I can persuade an automated message on the helpline to take my report.

I'll closely monitor the bank account into which my expenses were paid, but the misleading and incomplete letter I received merely served to annoy!

What was wrong with generating a personalised letter saying precisely what personal information of mine was held on the contractor's system and is thus potentially compromised, together with a personal activation code to the data security protection service?

Rant over - I'll await further correspondence.

FW

Not sure how much it will help, but now might be a good time to ensure you have 2 factor authentication on your accounts.

i might add, in the pre JPA days, we always had an air gap between the database and the internet.
I was an external consultant to AFPAA when JPA was spooled up.

We put together a system that was 'air-gapped' for all pay runs, with the final payment provider being a German bank. The initial data came from the nice folk at Glasgow, and it was then physically handed over to the bank who made the payments. However, as I recall, the data was pretty comprehensive and included details such as addresses. As this was about 18 years ago, so I have no idea whether the data has been in any way cut-down or sanitised since then, but at roll-out, air-gapping was very much part of the process.

* Air-gapping means that there is a physical break in the data transmission to minimise threats of electronically intercepting the data.

I awaited, and awaited, and awaited further correspondence until I decided to email my request to detail my potentially compromised data and to send me my personal activation code. I got an auto reply (using the DBS-Informationline etc address), but still nothing substantive.

FW

I awaited, and awaited, and awaited further correspondence until I decided to email my request to detail my potentially compromised data and to send me my personal activation code. I got an auto reply (using the DBS-Informationline etc address), but still nothing substantive.

FW
You aren't missing much - it is a credit reference agency, and the website is not that intuitive.

It also doesn't work if you are posted or have retired overseas and have a foreign bank account as it is a UK credit agency and they can't see foreign bank accounts.

It also tells you if any of your email addresses can be seen linked to social media accounts.