Having suffered a hack allegedly orchestrated by Beijing, the firm – whose clients include DWP, Home Office, MoJ and many more – will be subjected to an investigation of its government work
Major Whitehall tech supplier SSCL faces an investigation into its work across government after ministers revealed that the IT services firm was the company affected by the recent breach of military personnel data.
Earlier this week it was revealed that, following an attack allegedly orchestrated by the Chinese state, personal information on as many as 270,000 servicemen and women and veterans had been exposed. The information accessed by attackers – which included names, addresses, and bank account details – was stored on the systems of an external payroll software system used by the Ministry of Defence.
In a subsequent update to the House of Commons, defence secretary Grant Shapps revealed that the technology provider involved in the incident is Shared Services Connected Ltd, commonly known as SSCL – a familiar name to a client list that includes not just the MoD, but many of government’s largest departments.
Shapps told MPs that the government has “not only ordered a full review of work within the MoD, but gone further and requested from the Cabinet Office a full review of [SSCL’s] work across government”. This investigation is already underway and, once it concludes, the company may face sanctions, the defence secretary suggested.
Related content
“The Cabinet Office is calling in specialist analysts who will carry out that work over the coming weeks,” he said. “We expect very high standards from our contractors that work with the lives and livelihoods of our service personnel, so we will take all appropriate actions.”
Shapps added: “The concerning thing about this particular incident is that SSCL is a primary contractor, rather than a subcontractor, but… our intention—indeed, our instruction—is to go right the way through [the supply chain];… we take this incredibly seriously. It is unacceptable that it happened, and we will take every possible measure, once we have got to the forensic truth of what happened, including against the contractor and any subcontractors.”
Client list
SSCL was originally created as a joint venture between the Cabinet and Sopra Steria with the remit of providing large-scale shared software services to government clients. After 10 years of partnership, it is now wholly owned by the French IT services outfit, which bought out government’s 25% stake last year for £82m.
Although no longer part-owned by government, the company maintains a lengthy roster of departmental clients for its software services, covering the provision of HR, accounting, payroll, procurement, and other back-office tools.
Alongside the MoD on SSCL’s customer list are: the Department for Work and Pensions; the Home Office; the Department for Environment Food and Rural Affairs – and several of its arm’s-length bodies; the Ministry of Justice, as well as HM Courts and Tribunals Service and HM Prison and Probation Service; the Cabinet Office; and the Department for Transport. The firm also works with various other central government agencies and London’s Metropolitan Police Service and claims to provide payroll services for more than 500,000 public-sector employees, and administer the pensions of over two million military veterans.
Its most recently available annual accounts, for the 2022 calendar year, reveal that the company provided almost £300m of services to these organisations.
PublicTechnology contacted representatives of SSCL to ask whether the company wished to provide any comment or information, or reassurances or advice for its other government clients. The firm advised that all enquiries should be directed to the MoD.
Despite the initial reports claiming that the breach of military personnel data was led by China, the government has yet to formally attribute the incident to anyone other than a “malign actor”.
Having been urged to call out China in the Commons this week, the defence secretary told MPs that “I am simply unable to do that at this stage”.
“If attribution is required, it should happen in a timely and speedy manner,” he said. “I undertake… to ensure that that happens in this case, and that we do not have many months or years pass by without it being mentioned.”
