The personal information of British army, navy and air force members has been hacked in a significant data breach, raising alarm over a growing threat from cyberattacks by hostile states, Britain’s defense secretary said on Tuesday.
The attack targeted a third-party payroll system used by Britain’s Ministry of Defense, exposing the names and bank details of serving members of the armed forces and some veterans, as well as a small number of addresses.
The payroll system, which is not connected to the defense ministry’s own internal network, has been taken offline and the government did not publicly blame anyone for the data breach, or confirm claims by some lawmakers who pointed the finger at China.
“We do have indications that this was the suspected work of a malign actor and we cannot rule out state involvement,” Grant Shapps, the defense secretary, said in a statement to Parliament. “This incident is further proof that the UK is facing rising and evolving threats,” he said, adding, “The world is, I’m afraid, becoming somewhat more dangerous.”
Mr. Shapps said that an investigation had been launched into the data breach from the system run by SSCL, a contractor which also runs some business services for London’s Metropolitan Police. Only a “tiny number” of addresses had leaked, he added.
Earlier, Britain’s prime minister Rishi Sunak declined to speculate on the source of the attack but told broadcasters that the Ministry of Defense had taken the network offline, and was supporting those affected.
Asked specifically whether Chinese hackers were responsible, he said China was a country “with fundamentally different values to ours,” which was “acting in a way that is more authoritarian at home, assertive abroad.”
Britain faced “an axis of authoritarian states including Russia, Iran, North Korea and China” and had adopted a “very robust” approach to the government in Beijing, Mr. Sunak said.
Security experts note that China has been active in trying to access large troves of data before — including from British voters.
In March Britain accused China of cyberattacks that compromised the voting records of tens of millions of people, and said that the Chinese had attempted unsuccessfully to hack email accounts belonging to several members of Parliament. The deputy prime minister, Oliver Dowden, also announced sanctions against two individuals and one company linked to a state-affiliated group implicated in those attacks.
On Tuesday Ciaran Martin, a former chief executive of Britain’s National Cyber Security Center, said that Britain would want “to be technically certain,” and probably to bring allies on board, before formally accusing another state or a criminal group. “That takes time, and rightly so. Accuracy and allies are more important than speed,” he wrote on social media.
Few countries considered spying on the military assets of others to breach the unwritten rules of international relations, Mr. Martin added, describing the data breach as “a serious incident, but at the lower end of serious.”
Several British lawmakers were more explicit in their criticism. Tobias Ellwood, a Conservative lawmaker and former chairman of the House of Commons’ Defense Select Committee, told Sky News that China “was probably looking at the financially vulnerable with a view that they may be coerced in exchange for cash.”
Writing on social media, Iain Duncan Smith, a Conservative Party lawmaker, former party leader and critic of the Chinese government, described the hacking of the payroll database as “yet another example of why the U.K. government must admit that China poses a systemic threat to the U.K.”
He added: “No more pretense, China is a malign actor, supporting Russia with money and military equipment, working with Iran and North Korea in a new axis of totalitarian states.”
John Healey, who speaks for the opposition Labour Party on defense issues, said there were “so many serious questions for the defense secretary on this, especially from Forces personnel whose details were targeted.” Writing on social media he added: “Any such hostile action is utterly unacceptable.”
Asked about the reports, Lin Jian, a spokesman for the Chinese Ministry of Foreign Affairs, was dismissive.
“The remarks from British politicians concerned are utter nonsense,” Mr. Lin told a regular news briefing in Beijing on Tuesday. “China has always resolutely opposed and fought against all forms of cyberattacks, and firmly opposes exploiting cybersecurity issues for political ends to willfully malign other countries.”
Chris Buckley contributed reporting from Taipei.