Data Breach Forces UK Army to Shut Down Recruitment Portal

UK Ministry of Defence Logo Outside Office in Whitehall, London, England

The UK’s Ministry of Defence (MoD) has revealed that hackers gained access to the country’s army recruitment portal in March, prompting authorities to temporarily shut down the platform as a precautionary measure, and launch an investigation into the incident. The data of some army applicants is believed to have been compromised in the breach.

The British army has reverted to using paper and pen for registering recruits and other related activities in the meantime. While the army recruitment portal, called the Defence Recruitment System (DRS), is back online, access is restricted as the external DRS portal remains offline.

Data of 120 Applicants Leaked Online, Method of Breach Unknown

The MoD shut down the DRS in mid-March after the information of 120 applicants was found on sale on the dark web. The UK’s defense ministry is still investigating the method and extent of the attack. The exact point of entry the hackers used to gain access is unclear. There are speculations that the incident was “a low level compromise” and may not involve international actors.

The MoD reportedly decided to shut down the DRS to prevent unauthorized access to its other systems. The DRS is linked with “numerous MoD systems including Joint Personal Admin (JPA) and Training and Finance Management Information System (TAFIMS).”

A source told The Register that the recruits’ data was selling for 1 BTC (approximately $42,733 today).

Army Recruitment Impacted for Over Five Weeks

“Following the compromise of a small selection of recruit data, the army’s online recruitment services were temporarily suspended pending an investigation. This investigation has now concluded allowing some functionality to be restored and applications to be processed,” a spokesperson for the British army said in a statement.

The login page for potential recruits currently displays a message saying “we are currently experiencing technical issues.” It directs candidates looking for updates on the status of their application to call a dedicated number.

UK’s Data Protection Authority Notified

The UK Information Commissioner’s Office (ICO), the official body responsible for data protection in the country, has been notified about the breach.

“After making inquiries and carefully reviewing the information provided, we decided no further action was needed at this time,” an ICO spokesperson told the Guardian.

The UK is not currently fighting in the Russia-Ukraine conflict. However, the country has deployed a growing number of soldiers to Poland and Estonia.

Unfortunately, UK army recruitment numbers have fallen below target over the last few years. In fact, in six out of the eight previous years, the army could not meet its 82,050 official recruitment target. Consequently, it has decided to drop its target to 72,500 by 2025.

The impact of this data breach and system shutdown on the army’s recruitment efforts remains to be seen.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.