An Australian serving within a military intelligence organisation of a Five Eyes ally has allegedly had his personal data stolen from within the Australian Defence Force’s secure personnel system and posted online.
Australia’s joint military police unit is investigating an allegation that a serving member of Australia’s special forces unlawfully accessed the data of the intelligence official and posted personal and sensitive data in an online location accessible to the public.
It is also alleged offensive cybertools of a sophistication deployed by states were used to hack the private accounts of the Australian citizen, including remotely accessing a private computer.
Defence sources have confirmed the investigation into an alleged breach of the ADF’s Personnel Management Key Solution, known as PMKeyS, and into the use of offensive cybertools.
The investigation was referred to the ADF’s joint military police unit and the Australian federal police. A complaint has also been registered with the Australian Cyber Security Centre, and the offices of the attorney general and home affairs minister have been made aware of the alleged breach.
PMKeyS is the authoritative management record for all defence personnel and holds personal and family data, contact details, health information and employment history details. Unlawful access of PMKeyS is a criminal offence.
Defence says any PMKeyS users must “not disclose an individual’s personal information to any outside party”.
“All access to these data must be maintained strictly on a ‘need to know’ basis.”
The defence department declined to answer specific questions on the investigation, including whether any suspected offenders had been identified.
“Defence cannot comment on security investigations,” a spokesperson said. “Defence takes any allegations of its systems being misused extremely seriously.
“Defence has a strict security regime around PMKeyS and regularly implements security updates provided by the Australian Cyber Security Centre in the Information Security Manual.
The personal and sensitive service details of the Australian citizen – who now works for a military intelligence organisation for an allied foreign government – were allegedly stolen from PMKeyS in April and posted publicly online.
The foreign government has been informed of the alleged breach.
The defence spokesperson said access to PMKeyS “reflects contemporary cyber security advice and this is subject to twice yearly reviews through external audits”.
Defence force members are required to undertake training on their legal obligations before being given access to PMKeyS.
Last month, the department wrote to ADF members over fears the personal data of personnel may have been compromised in a ransomware attack on a communications platform.
Hackers targeted the ForceNet service, run by an external IT provider, with defence force chiefs emailing staff: “We are taking this matter very seriously and working with the provider to determine the extent of the attack and if the data of current and former APS [Australian public service] staff and ADF personnel has been impacted.”
In 2020, the defence force’s recruiting database was taken offline for 10 days and quarantined from other military networks after it was hacked.
In 2018, student data was accessed from the National Security College at the Australian National University. And in 2017, a national security contractor was breached, with hackers stealing significant and sensitive defence supplier data.
In the wake of the recent cyber-attacks on databases held by Optus and Medibank, the home affairs minister, Clare O’Neil, has established a new “joint standing operation” to investigate cybercrime.
“Cybersecurity is a core national security focus of our government,” O’Neil said.
O’Neil’s office and the AFP declined to comment on the defence investigation.