[BreachExchange] UK Ministry of Defence takes recruitment system offline, confirms data leak

[Terrell Byrd]

https://www.theregister.com/2022/03/24/ministry_of_defence/

The UK Ministry of Defence has suspended online application and support
services for the British Army's Capita-run Defence Recruitment System and
confirmed to us that digital intruders compromised some data held on
would-be soldiers.

The army was informed of the break-in on March 14, and "that a group of
hackers was going to release Army Application Data on the dark web," a
source familiar with the matter told us.

Two days later, the Army shut down the career website and DRS as a
precautionary measure.

The career website is back up and running, but online applications and
support are still missing in action – or rather, the website is suffering
"TECHNICAL ISSUES":

We are currently experiencing some technical issues with the Army
recruitment system. If you have any questions surrounding your application
or progression through the recruiting pipeline please call this number 0345
600 8080 or contact your recruiter.

The extent and method of the attack remains under investigation by the MoD
and Capita. The exact point of entry has yet to be pinpointed.

DRS, we are told, interfaces with numerous MoD systems including Joint
Personal Admin (JPA) and Training and Finance Management Information System
(TAFIMS), and it is not known how far the attackers got in.

The MoD wanted to avoid potential access by miscreants and instead opted
for the shutdown.

Without access to digital services, the Army is using "paper systems to
manage their recruitment activity. They have declared a cyber emergency and
enacted Op Rhodes," a source claimed.

The exact number of candidate details stolen is unconfirmed, but we were
told by several people that it ranges from 125 to 150. One source claimed
125 recruits' data were for sale on the dark web for 1 Bitcoin, or $42,733
at today's exchange rate.

Despite the relatively small volumes of data exposed, this is still
incredibly embarrassing for the MoD, and, if it turns out DRS was the
method of intrusion, for Capita – which boasts of having a "good deal of
its DNA in defence and security."

We understand the affected candidates were contacted by the MoD. Britain's
data watchdog, the Information Commissioner's Office, told us the breach
has yet to be reported to it.

"Organisations must notify the ICO within 72 hours of becoming aware of a
personal data breach, unless it does not pose a risk to people's rights and
freedoms.

"If an organisation decides that a breach doesn't need to be reported they
should keep their own record of it, and be able to explain why it wasn't
reported if necessary."

The Register asked the MoD about the timelines, the threat of releasing
data on the dark web, and more. An army spokesperson said:

"We have been made aware of a compromise of a small section of recruit data
and are testing the matter with the utmost importance. Whilst we are
investigating the source of the information it would be inappropriate to
comment further."

Capita refused to comment.

Marketing material about the way Capita reinvented the Recruiting
Partnering Project (RPP), a £495m contract it signed in 2012 with the
British Forces, makes no mention of the checkered past for the DRS
component, which itself debuted in November 2017 – some 52 months behind
schedule.

Under the contract, Capita was in charge of running recruitment operations,
including marketing, processing applications and handling the candidate
assessment centres.

Online recruitment was due to launch in July 2013 but the MoD "failed to
meet contractual obligations to provide the infrastructure to host Capita's
recruitment software," said a National Audit Office report [PDF] in 2019.

At the start of 2014, the "Army passed responsibility for developing the
whole system to Capita."

Capita, the report continued, underestimated the level of customization
required for the online system, and built bespoke applications rather than
using off-the-shelf software. It was hosted on Capita infrastructure, not
the MoD cloud that runs on Microsoft Azure, the NAO said. A source told us
that remains the case.

DRS initially failed in the early days after launch to the point that
recruits were almost unable to sign up online. Poor pre-delivery testing
was also blamed. Capita then, at its own expense, began an intense
seven-month period to sort out the technical problems.

It was revealed by the MoD in 2020 that in the 12 months after the DRS was
switched on, there was a 22 per cent drop – meaning a whopping 25,000 fewer
applicants – to the British Army.

The Public Accounts Committee – Parliament's spending watchdog – said in a
2019 report:

"The shortfall each year has ranged from 21 per cent to 45 per cent of the
Army's requirement. In 2017–18, Capita recruited 6,948 fewer regular and
reserve soldiers and officers than the Army needed. Capita missed the
Army's annual target for recruiting regular soldiers by an average of 30
per cent over the first five years of the contract, compared with a 4 per
cent shortfall in the two years before Capita started."

The PAC report said the Army was preoccupied with the war in Afghanistan in
2012 when it entered into the RPP with Capita, and admitted it was "naïve
to think it could just contract out recruitment to an organization that was
not military".

Capita, according to the report, admitted it "made mistakes", saying: "It
had been more interested in 'chasing revenue' and winning new contracts
rather than its partnership with the Army."

Recruitment targets were lowered – but still missed – and the contract's
penalties reset, the PAC said. It voiced concerns the Army did not push
back on Capita's "poor performance." The Army deducted £26 million in
payments to Capita in one lump – the only financial penalty during the
contract to date.

Despite a string of failings on both sides, the reward for Capita was a
£140 million extension to keep RPP for four more years until 2024.

An insider told us that so far a replacement for DRS is not on the horizon,
and they expect the current system will be extended with Capita until April
2026.

The Army still does not have full ownership of the intellectual property
upon which DRS is based. It does have contractual rights to the software
code and complexity of the systems will mean it will be "difficult to test
its future adaptability," said the NAO report from 2019.

"If the Army decides to continue using the system, it will have to pay
Capita for a licence. However, if the application is not suitable for
modification, the Army will need to buy or develop a new recruitment system
after the contract with Capita ends."

We asked the MoD when DRS was last accredited by Defence Digital as secure
and when the last penetration testing was completed.

The Air Force and Navy appear to be unaffected by recent events. Both
forces moved off DRS last year, awarding Pegasystems a £9.5 million,
three-year support contract in 2021. Under that agreement, the software biz
provides a "standard production cloud offering" via AWS infrastructure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220324/75a75c7a/attachment.html>