Ministry of Defence information exposed to nation state attackers in 37 incidents

Sensitive information was left exposed to physical and cyber attackers in 2017

The Ministry of Defence and its partners ‘failed to protect military and defence data' in 37 incidents last year, according to redacted reports seen by Sky News.

The outcome of the security incidents was not revealed in the reports, including whether they resulted in a data leak or the parties thought to be involved - although Sky mentions the Chinese espionage group APT10, which targeted British companies in 2017.

Espionage is not normally subject to a forceful response, but the theft of military secrets could still be a significant threat to national security.

The MoD told Sky that providing any information on the incidents beyond their existence could provide ‘adversaries' with valuable information on the Ministry's ability to reach to threats.

It added, ‘Disclosure of the information would be likely to increase the risk of a cyber attack against IT capability, computer networks and communication devices'.

However, Sky did manage to uncover some information about the breaches. In some cases, information classified as ‘SECRET' could have been exposed through physical access, such as accessing restricted offices and hardware.

In others, information was exposed to nation state-level risks, ‘such as defence information being left unprotected to foreign states' surveillance of internet traffic'.

Other incidents were more at the physical level, including a laptop and two mobile phones being taken overseas, and peripherals that had not been checked for malware being attached to classified systems.

The incident title was redacted from 10 of the reports, implying that the breach was so severe that the MoD considered even admitted that they had happened would harm national security.

The MoD refused to tell Sky whether any of the breaches had been successful.