A database containing personal information of Australian Defence Force (ADF) personnel was taken offline last month in response to a cybersecurity incident.
In a statement, Defence confirmed to Information Age that “some elements of the Defence Force Recruiting Network (DFRN)” were quarantined from February 2 to February 12 because of a “potential security concern”.
The recruitment system was managed externally by the ManpowerGroup which has been Defence’s prime recruiting contractor since 2003.
A spokesperson for the ManpowerGroup said the company was “aware of a potential issue identified with the DFRN, requiring Defence to proactively take elements of this network offline” and that “all elements of the DFRN have since been restored to full operations.”
Although Defence’s investigation into the incident “did not identify any evidence to suggest a compromise of information had occurred,” a lack of evidence does not necessarily mean no data was accessed.
Analyst in the Australian Strategic Policy Institute’s International Cyber Policy Centre, Jocelinn Kang, said cybersecurity events like this highlight a major issue with data is perceived.
“For any incident you have to ask ‘has someone not taken anything or do we just not know?’" Kang said.
“Have [attackers] maybe just not left any evidence that something has been taken?”
The level of information potentially available on Defence recruitment servers could be quite valuable for foreign espionage campaigns, Kang said.
“It depends what was in that database,” she said. “There could have been medical records and they might have had some psych testing in there as well.
“That’s the kind of data you that wouldn’t want to get out there if people are trying to profile you for whatever reason.
“That could be used, in the espionage world, to make an approach. Or perhaps – if you’re a political figure – to get a sense of who you are and what vulnerabilities you may have.”
Defence applicants undertake medical assessments and psychological interviews as part of the recruitment process.
Liberal MP Andrew Hastie – who served in the ADF and is chair of the Parliamentary Joint Committee on Intelligence and Security – told the ABC he had high expectations for the nation’s high level computer systems.
“Our government and defence networks should be fortresses — no breach can be considered small,” Hastie said.
“For Defence to take this offline for 10 days suggests a fairly sophisticated actor.”
‘Sophisticated’ was the word used to describe an attack on the parliamentary IT system 12 months ago. The official word at the time was there had been “no evidence” of data being accessed in the incident.
Months later, it was revealed that bad actors got hold of a “small amount of non-sensitive data” in the successful watering-hole attack of the nation’s most powerful political institution.