Our spokesperson said:
“The Ministry of Defence has made us aware of this incident and we are assessing the information provided”.
Q&A from the Information Commissioner’s Office
What is the ICO’s role after an organisation experiences a cyber attack?
All organisations who are entrusted with people’s personal information must ensure they have the correct technical and security measures in place to guard against a cyber attack.
If an attack does happen, and an organisation has concerns about personal data being accessed, they should report that to the ICO within 72 hours of becoming aware of the breach.
Critical incidents affecting the security of the United Kingdom may also need to be reported to other agencies such as the National Cyber Security Centre.
Are cyber attacks common?
From 7 May 2022 to 6 May 2023, 25.9% of personal data breaches reported to the ICO were cyber related. In the last 12 months this figure has risen to 32.5%.
The ICO proactively publishes data on breaches reported to it on its website. The data has a number of limitations and the ICO figures rely on the data it is provided with by the reporting organisations.
Who are the ICO?
The ICO is the UK’s independent regulator for data protection. It works to protect people’s privacy rights, taking action so that people can trust their information is being properly looked after.
Last year, the ICO dealt with almost 40,000 complaints about data protection, as well as taking more than 300,000 calls through its helpline.
What happens next?
The ICO is monitoring developments on this issue closely and is in direct contact with the Ministry of Defence in order to establish the details and determine next steps. If the ICO finds evidence that the Ministry of Defence failed in its legal obligation to ensure it had the correct safety and security measures in place to protect the personal information entrusted to it by people, it can take action.
Should businesses be worried about cyber attacks too?
All organisations should ensure they have robust measures in place to protect personal data.
All organisations should regularly monitor for suspicious activity and immediately act on warnings, keep software updated, remove unused platforms and provide regular staff training to ensure, where possible, preventable mistakes are not made.