Recommendation 20

The C&AG told us that the first he knew about the data breach was when it became publicly known in July 2025. His audit director had been briefed at the time of auditing the 2023–24 accounts, that there was a secret matter that could not be shared, and it meant there was a data breach that had not been included in the governance statement in the accounts. There was no briefing of the NAO by the Department about the operational consequences of this, the number of people affected, or the likely cost.52 The audit director was told that they could not tell anybody at the NAO about the detail that they had been briefed with.53 46 Q 32 47 Q 36 48 C&AG’s Report, para 18 49 Q 32 50 Q 40 51 Letter from Ministry of Defence, 7 October 2025 52 Q 33 53 Q 35 14