Why the MoD attack shines a spotlight on the dangers of legacy security infrastructure
May 2024 by Simon Bain, CEO and founder of OmniIndex
The MoD is still ‘protecting’ the data of service personnel with outdated and obsolete technology, says Simon Bain, CEO of OmniIndex
The Ministry of Defence this week announced that it had suffered a data breach via a third-party contractor, resulting in the names and bank details of past and present personnel falling into the wrong hands. In response, defence secretary Grant Shapps has ordered a “specialist” review of the payroll contractor used by the MoD, that many news outlets are claiming was infiltrated by cybercriminals in China.
While the reports that China is involved in the attack are yet to be confirmed and may never be, there are more important lessons to learn from this attack. The most pertinent being that you can’t and shouldn’t gamble with the safety of other people’s data, least not those working in areas of national security.
And while government backed specialist reviews are perhaps the least that can be expected in the wake of such a breach, they do little to repair the actual damage caused. In fact, little can be done to repair any damage once people’s private data has been breached.
Hindsight now affords the ministry the privilege of knowing it could and should have done something to stop this long ago.
The issue with legacy security technology
Questions must be asked of the government that such sensitive data can easily be accessed and stolen by criminals. The ministry of defence should undoubtedly be utilising the most advanced and modern technology to protect data, and only be working with third-party suppliers that do the same.
Legacy security infrastructure leaves critical information like the names and bank details of veterans vulnerable to attack because the data is used in a decrypted state. This means that if a system is accessed through an attack or due to user error, the information is visible and therefore exposed. In other words, once an attacker is through the doors then everything is up for grabs with all information easily accessible.
Due to the prominence and danger of the vulnerabilities in their infrastructure, organizations using legacy services are ultimately left with two stark choices: Stop working with third-party providers that don’t engage with modern security efforts to eliminate the risk of attack, or accept the risk and cross your fingers that your data is safe.
Modern data security
Organisations like the MoD should be expecting attacks such as this and taking steps to limit and prevent the threat of attack as best they can. The security of third-party suppliers is not out of your control, they should be audited strictly and there should be an ongoing close relationship to ensure that any eventuality is prepared for.
To counteract the threat of attack, the MoD and its supply chain should be investing in modern security systems, such as those that use an enhanced form of encryption known as FHE. This type of encryption means that private information such as service personnel’s finances can be subjected to analytics and that necessary acts such as calculating taxes can all be done without that information ever being decrypted. The advantage of this is that if an attacker forces access into a system, then they are still unable to read the sensitive information within as it remains encrypted.
What’s more, by replacing legacy data storage solutions with modern decentralized solutions, this data would be further protected from attack as it would be stored in multiple locations as opposed to in one central location, and it would be immutable. This means that the data would be harder to access illegally as there would not just be one location to attack, and that the data cannot be corrupted or held to ransom as it cannot be edited once it has been stored.
Time for change
This attack was totally avoidable, and it is absolutely crucial that we ask why the MoD and other government departments are relying on outdated and frankly obsolete technology to ‘protect’ data when it has proven itself unfit for purpose.
In the interest of national security, it is paramount that the government upgrade its defences before the public’s private data falls into the hands of cybercriminals too.