In the digital age, data and the infrastructure that hosts it are no longer just economic assets; they are levers of geopolitical power. Recent allegations in the United Kingdom about a breach in data transfer systems and the involvement of a company under Chinese control have brought to light how the ownership and control of data centers can become vectors of risk for national security. This article gathers what is known and what remains unconfirmed.
Summary of what is known (confirmed and claimed)
In October 2025, former adviser Dominic Cummings claimed that China had obtained “large amounts” of classified information from the British Government through a breach in a Whitehall data transfer system (commonly used as a synonym for the British Government itself and its internal communication systems). Cummings linked the incident to the involvement of a Chinese-owned company in critical infrastructure. These allegations have reignited the political and security debate.
MI5 recently warned Members of Parliament about espionage attempts and influence campaigns from China, Russia, and Iran, placing the episode within a broader context of hybrid threats. ( euronews report)
Important: There is no public confirmation that indisputably proves that “a specific data center was purchased by China to spy” and that explains, with public evidence, the exact path of the exfiltration (unauthorized theft or extraction of information). Many public statements mix access risk, shareholder ownership, and intrusion cases, and it is necessary to distinguish them rigorously.
The most cited example: Global Switch
Global Switch is a global colocation operator with campuses in London (Docklands) and other major cities. In 2016 there was significant Chinese investment, and in 2019 the Jiangsu Shagang Group acquired the remaining stake, becoming the largest shareholder/controller. This caused alarm among governments and sensitive clients and led some public entities to reconsider their physical presence in those facilities for security reasons.
Still, shareholder control by Chinese investors created risk and caution, but it does not automatically equal proof of intrusion or details of “what data was stolen and how.” That distinction is critical for a responsible treatment of the issue. ( data center dynamics report)
Do other powers do the same?
The phenomenon is not exclusive to China: there are examples and digital espionage capabilities attributable or related to several powers.
China: Beyond acquisitions/shareholding, historical investigations (e.g., GhostNet) have shown cyber-espionage operations with command-and-control infrastructure tied to servers located in China; leaks such as Zhenhua Data (2020) revealed massive profiling projects of people worldwide. These cases show both technical operations (malware, APTs) and intelligence activities based on big data and OSINT. ( ora report)
United States: U.S. firms and operators manage a very significant part of global infrastructure (cloud services, data center operators, CDN and peering services). The technical dominance and operational access these companies have over critical infrastructures provide different capabilities and risks in terms of influence and, in extreme scenarios, intelligence. ( nartv)
Russia: Its cyber-offensive capacity (espionage campaigns, targeted intrusions, disinformation operations) is well documented in multiple reports and technical advisories; its modus operandi has historically been direct cyberattacks and covert operations, rather than international corporate acquisitions of data centers. ( euronews report)
In summary: two types of risks must be separated
Physical/operational control of infrastructure (ownership, management, operational staff).
Offensive or cyber capabilities (hacking, APTs, phishing campaigns)..
What they could have accessed, possible vectors, and limits
Inter-ministerial or shared transfer systems: If a service provider or integrator has access to data routes between ministries and those routes are not properly segmented or encrypted, an actor compromising that point can view traffic or files in transit. That was the central concern behind the claims that emerged in the UK.
Physical access and colocation operation: If an operator controls the room (racks, physical-layer switches, PDUs, KVM), they have capabilities to manipulate hardware or install sniffers in case of internal intrusion. Mere shareholder control does not imply intrusion, but it does affect the risk model.
Management and telemetry systems: Remote management platforms (DCIM, BMS) or remote maintenance can be vectors if not properly segregated.
Legal and control framework (what a government can do)
The United Kingdom has the National Security and Investment Act (NSIA) and an investment review regime that allows the government to “call in” acquisitions in sensitive sectors (including digital infrastructure). Recently, there have been updates and debates on its application to data centers. Additionally, the government has been moving toward classifying certain data centers as critical infrastructure and strengthening guidelines for notifications and reviews.
How to prevent our data from ending up in others’ hands
In the end, beyond laws and acronyms, the big question is simple: how do we protect what is most valuable so it doesn’t fall into the wrong hands? Here are some key points:
- Know who is behind the infrastructure:
Just as you wouldn’t leave your house keys with just anyone, countries and companies must carefully examine who the real owner of the data centers storing their information is. Transparency of ownership is essential.a.
- Don’t put all your eggs in one basket:
If all critical information is stored in a single data center or provider, the risk skyrockets. The solution is simple: divide and distribute. Using multiple providers and different locations reduces the chances of a problem turning into a catastrophe.. - Protect the information at its source:
Imagine your data are confidential letters: even if someone intercepted the envelope, they couldn’t read it if it were in a secret language. That “secret language” is encryption: turning information into something unreadable except to the authorized recipient. - Constant audits and reviews:
Trust is not enough. It’s like checking that your door lock still works. Regular reviews, audits, and security tests help detect problems before an outsider exploits them. - Collaboration between countries and companies:
Digital security is not defended in isolation. Just as there are military pacts or cooperation agreements, there must also be alliances to share alerts and best practices about data centers and providers. - Train and raise awareness among people:
Sometimes the weakest point isn’t the machines but the people who work with them. With training and a culture of security, carelessness or social engineering can be avoided from opening the door to espionage.
The claims about a “Chinese purchase of a data center to spy” have once again brought to the table a simple but decisive lesson: risk is not the same as proof, but both deserve urgent attention and mitigation. The UK case (Cummings’ claims, MI5’s warnings) highlights vulnerabilities in how data and providers are managed; the Global Switch example shows that the ownership and shareholder control of global operators can lead to political decisions and client migrations for security reasons.
The answer is not to ban foreign investment per se, but to design a mixed framework of clear rules (legal), technical controls (architecture and encryption), and corporate governance (contracts and audits) that prevent sovereignty over information from being merely nominal. Adopting checklists, legal reviews prior to transactions, strong contractual clauses, and technical measures such as customer-held encryption keys and segmentation are concrete steps that can be applied today.