Advice on the Armed Forces pay network compromise

There has been a compromise to an Armed Forces payment network. The Defence Secretary has updated Parliament. This is an external network, separate to MOD’s core systems, and is not connected to the main military HR system – JPA. This is operated by a contractor. All functions within the JPA system have continued securely throughout.

This incident potentially impacts personal data of current regular and reservist personnel and a small number of veterans. The data includes names and bank details, and for a small proportion of individuals, addresses. Address data may be place of work, administration address, or home address. Those whose home address is identified are in the process of being written to. 

MyHR is not affected by this incident. Payment details of Civil Servants and members of the Royal Fleet Auxiliary are not affected.

We have taken immediate remedial action, taking the network offline to minimise risk. Initial investigations have found no evidence that any data has been removed from the network, but we will continue to investigate, working closely with other agencies. We have also launched a full review, drawing on specialist external and Cabinet Office support and expertise. We are also investigating potential failings by the contractor.

Specialist advice, guidance, and support is available. We have purchased independent licences from a commercial data protection service for serving personnel. As always, and where necessary, there is access to welfare and financial support.

Everyone was paid as normal in April, and we are confident that salaries for May will not be affected. Personnel may have noticed a slight delay in the payments of routine expenses. We are in the process of restoring normal systems, and a solution is in place to ensure we facilitate all outstanding expenses payments, which should be paid by the end of the week. High value payments continue, and all outstanding Forces Help To Buy and Terminal Benefits payments have been paid by a BACS transfer.

If you notice or have been advised that your details are unexpectedly online, report it immediately to your chain of command. Do not attempt to edit or delete the data or contact the website owner. Do not engage with anyone who claims to be you.

You should submit a Security Incident Report Form (SIRF) and inform your Chain of Command if your personal details are published online. When a SIRF is submitted on the internet, it is reviewed by MOD security personnel and subjected to an initial security risk assessment, with further action taken on a proportionate basis. If you discover your details online you must not attempt to edit/delete the data and/or attempt to contact the website owner. Instead, provide the details on the SIRF so it can be assessed by security personnel. Separately, if you are directly contacted by anyone who claims to have identified you, do not engage. Report the encounter via a SIRF providing the details so it can be assessed by security personnel.

Support available

We realise this news may cause some anxiety. Serving personnel are encouraged to highlight any welfare or financial concerns to your chain of command. For those who are unable to use local support networks, a dedicated phone line has been established. This number is 01249 596665 or e-mail DBS-Informationline@mod.gov.uk,

Personal security guides

If you experience or notice any suspicious activity, you should contact your chain of command immediately. All personnel are advised to look out for official sounding emails about resetting passwords, and to be wary of messages requesting confirmation of identity or being urged to take immediate action. 

The MOD’s guide – Advice and Guidance: Compromise of Personal Information Protecting Your Privacy – is available on the MOD intranet, and the National Cyber Security Centre’s Data breach guidance for individuals – NCSC.GOV.UK,  are good starting points for information.  They document the immediate actions you must undertake to safeguard your personal information and detail other additional preventative measures you may wish to take.

The National Counter Terrorism Security Office (NaCTSO) has also produced a useful and comprehensive Guide to Personal Security. Recommendations contained within this guidance are primarily common-sense precautions, albeit not exhaustive. Their usefulness will depend on your personal circumstances, but are based on research, lessons learned from historic events, expert advice, and best practice.

The following resources may also be helpful: 

The Think Before You Link app can be downloaded to your personal devices.  The app provides tutorials on the importance of and how to manage your digital footprint, as well as guidance on how to recognise a potentially malicious approach online. 

Identity fraud

There is no requirement for you to do anything immediately, but you could consider a review of cyber best practice; for example, reviewing your personal social media privacy settings. You may also consider opting out of the open electoral register – www.ico.org.uk/for-the-public/electoral-register

If you become aware of any unexpected activity, it may be sensible to change associated passwords or speak to your bank.

Individuals will no longer be able to register for the personal data protection service after 1 November 2024

Users will no longer be able to register or activate the service after that date. Those already registered will continue to be able to access the service for 12 months starting from the date of activation, as previously notified.

Data security protection service

We have obtained an operating licence for to a world class data security protection service.   For the non-serving community, an update will be provided on 01249 596665 or via an e-mail sent to DBS-Informationline@mod.gov.uk  

These services do not interact with the credit scoring system or report to the credit bureaus. There is no direct impact on your credit score from activating this service.

If you transfer an element of your pay to another person’s account at source (i.e. directly from JPA), it would be prudent to advise them about this incident. The commercial data protection service we are providing will also be made available to them if required.  You should highlight this requirement to your line management or DBS in support of obtaining a second licence.  

For those serving independently, or if your loved one is deployed, specific arrangements have been put in place by the chain of Command. If in doubt, please contact your local support network. 

We are in the process of generating an automated system for small proportion of veterans and Cadet Adult Volunteers affected by the issue. If this applies to you, you are advised to dial the call centre 01249 596665 or e-mail DBS-Informationline@mod.gov.uk  

For those in the Armed Forces, the TLB Principal Security Advisor teams remain available to provide advice, should it be required.  Contact details are available at the DefNet Sy and Resilience Portal on SharePoint.

Further advice

At present, we have no indication that this data has been exploited, but it is prudent to remain vigilant and continue to review your statements for unauthorised payments.

Whilst you are probably already doing this, the following six signs are worth looking out for:

  1. Watch for any unauthorised activity: Always know what transactions are expected. Even the smallest unauthorised transfer can be a warning sign.
  2. Don’t ignore notifications: If you get an email saying your account details have changed and you didn’t change them, your account may be compromised.
  3. Beware of bogus calls: If someone phones and claims to be from your payment provider, insist on calling them back on the company’s public phone number.
  4. Don’t trust the text: If you suddenly start getting messages or calls from a mobile number that your provider doesn’t normally use – be very suspicious.
  5. Check every email: If an email or other online communication doesn’t look genuine, don’t reply to it without checking with your provider.
  6. Look out for bogus links: If you see strange activity on your account, check to see if you’ve recently clicked on any retrospectively suspicious links.

Banks routinely monitor your account and report unusual activity.  Most banks also use two-factor authentication. You are encouraged to use these techniques if available. It is likely that your bank will be in touch with you if they detect anything suspicious with your account.

Frequently asked questions


Network compromise frequently asked questions (PDF, 164 KB, 5 pages)

Leave a Comment