This article is more than 1 year old
UK Ministry of Defence takes recruitment system offline, confirms data leak
Info of those signing up to be soldiers leaked, as sources finger Capita-run system
Exclusive The UK Ministry of Defence has suspended online application and support services for the British Army's Capita-run Defence Recruitment System and confirmed to us that digital intruders compromised some data held on would-be soldiers.
The army was informed of the break-in on March 14, and "that a group of hackers was going to release Army Application Data on the dark web," a source familiar with the matter told us.
Two days later, the Army shut down the career website and DRS as a precautionary measure.
The career website is back up and running, but online applications and support are still missing in action – or rather, the website is suffering "TECHNICAL ISSUES":
We are currently experiencing some technical issues with the Army recruitment system. If you have any questions surrounding your application or progression through the recruiting pipeline please call this number 0345 600 8080 or contact your recruiter.
The extent and method of the attack remains under investigation by the MoD and Capita. The exact point of entry has yet to be pinpointed.
DRS, we are told, interfaces with numerous MoD systems including Joint Personal Admin (JPA) and Training and Finance Management Information System (TAFIMS), and it is not known how far the attackers got in.
The MoD wanted to avoid potential access by miscreants and instead opted for the shutdown.
Without access to digital services, the Army is using "paper systems to manage their recruitment activity. They have declared a cyber emergency and enacted Op Rhodes," a source claimed.
The exact number of candidate details stolen is unconfirmed, but we were told by several people that it ranges from 125 to 150. One source claimed 125 recruits' data were for sale on the dark web for 1 Bitcoin, or $42,733 at today's exchange rate.
Despite the relatively small volumes of data exposed, this is still incredibly embarrassing for the MoD, and, if it turns out DRS was the method of intrusion, for Capita – which boasts of having a "good deal of its DNA in defence and security."
We understand the affected candidates were contacted by the MoD. Britain's data watchdog, the Information Commissioner's Office, told us the breach has yet to be reported to it.
"Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms.
"If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported if necessary."
The Register asked the MoD about the timelines, the threat of releasing data on the dark web, and more. An army spokesperson said:
"We have been made aware of a compromise of a small section of recruit data and are testing the matter with the utmost importance. Whilst we are investigating the source of the information it would be inappropriate to comment further."
Capita refused to comment.
Marketing material about the way Capita reinvented the Recruiting Partnering Project (RPP), a £495m contract it signed in 2012 with the British Forces, makes no mention of the checkered past for the DRS component, which itself debuted in November 2017 – some 52 months behind schedule.
Under the contract, Capita was in charge of running recruitment operations, including marketing, processing applications and handling the candidate assessment centres.
Online recruitment was due to launch in July 2013 but the MoD "failed to meet contractual obligations to provide the infrastructure to host Capita's recruitment software," said a National Audit Office report [PDF] in 2019.
At the start of 2014, the "Army passed responsibility for developing the whole system to Capita."
Capita, the report continued, underestimated the level of customization required for the online system, and built bespoke applications rather than using off-the-shelf software. It was hosted on Capita infrastructure, not the MoD cloud that runs on Microsoft Azure, the NAO said. A source told us that remains the case.
DRS initially failed in the early days after launch to the point that recruits were almost unable to sign up online. Poor pre-delivery testing was also blamed. Capita then, at its own expense, began an intense seven-month period to sort out the technical problems.
The Public Accounts Committee – Parliament's spending watchdog – said in a 2019 report:
"The shortfall each year has ranged from 21 per cent to 45 per cent of the Army's requirement. In 2017–18, Capita recruited 6,948 fewer regular and reserve soldiers and officers than the Army needed. Capita missed the Army's annual target for recruiting regular soldiers by an average of 30 per cent over the first five years of the contract, compared with a 4 per cent shortfall in the two years before Capita started."
- Signing up for the RAF? Don't bother – you've been Capita'd
- Capita's UK military recruiting system has 'glitches' admits minister
- Capita's bespoke British Army recruiting IT cost military 25k applicants after switch-on
The PAC report said the Army was preoccupied with the war in Afghanistan in 2012 when it entered into the RPP with Capita, and admitted it was "naïve to think it could just contract out recruitment to an organization that was not military".
Capita, according to the report, admitted it "made mistakes", saying: "It had been more interested in 'chasing revenue' and winning new contracts rather than its partnership with the Army."
Recruitment targets were lowered – but still missed – and the contract's penalties reset, the PAC said. It voiced concerns the Army did not push back on Capita's "poor performance." The Army deducted £26 million in payments to Capita in one lump – the only financial penalty during the contract to date.
Despite a string of failings on both sides, the reward for Capita was a £140 million extension to keep RPP for four more years until 2024.
An insider told us that so far a replacement for DRS is not on the horizon, and they expect the current system will be extended with Capita until April 2026.
The Army still does not have full ownership of the intellectual property upon which DRS is based. It does have contractual rights to the software code and complexity of the systems will mean it will be "difficult to test its future adaptability," said the NAO report from 2019.
"If the Army decides to continue using the system, it will have to pay Capita for a licence. However, if the application is not suitable for modification, the Army will need to buy or develop a new recruitment system after the contract with Capita ends."
We asked the MoD when DRS was last accredited by Defence Digital as secure and when the last penetration testing was completed.
The UK's Air Force and Navy appear to be unaffected by recent events. Both forces moved off DRS last year, awarding Pegasystems a £9.5 million, three-year support contract in 2021. Under that agreement, the software biz provides a "standard production cloud offering" via AWS infrastructure. ®