'Gobsmacking': The gaping hole leaving info on Australian soldiers open to hackers

Defence has admitted to what a sitting senator calls a "gobsmacking" hole in its online security.

A graphic showing a hacker wearing a hoodie, a laptop, and the Defence Force logo.

Defence admits it has no way of knowing who has accessed a database that contains private information of current and former soldiers.

Key Points
  • Defence concedes it can't trace who can access a key database that holds soldiers' personal details.
  • One sitting senator has described the loophole as 'gobsmacking' and demanded action.
  • The loophole has allegedly been used to access details of veterans who spoke about alleged war crimes.
Defence cannot trace who has accessed the private details of Australian soldiers stored in its database, amid allegations it has been used to "shame and humiliate" servicepeople who publicly discussed alleged war crimes in Afghanistan.

The revelation has also sparked fears that could abuse "literally open slather access" to Defence's Personal Management Keys System (PMKeyS), which holds the details of more than 10,000 current and former service people.

Defence officials have said they cannot monitor who accesses the system — which is online but only open to defence personnel — but claim they were unaware that ex-Australian Defence Force (ADF) members have boasted about using it to spread details of colleagues who spoke out about .
A man in a dark suit sitting and speaking into a microphone
Defence secretary Greg Moriarty said he would 'consult with colleagues about the integrity of the system'. Source: AAP / Mick Tsikas
Speaking to Senate estimates in May, Defence chief data integration officer Paul Robards confirmed the department could only log who had altered records in the database.

"We can't tell if they've viewed records," he said.

Defence secretary Greg Moriarty then conceded he would need to "consult with colleagues about the integrity of the system".

Greens senator David Shoebridge, whose questioning led to the revelation, described the vulnerability as "gobsmacking" and demanded urgent action.

"If this was a bank — and they allowed anybody in the bank to access people's financial records, download them, share them without any tracing mechanisms — the Privacy Commissioner would come down on them like a ton of bricks," he told SBS News.

"It'd be a scandal."

Veteran claims details accessed after discussing war crimes

Posts circulating on social media appear to show that some former servicemen have taken advantage of the vulnerability.

One veteran, who has publicly discussed alleged Australian war crimes in Afghanistan, has lodged a complaint with the Australian Information Commissioner over the system, claiming his personal information has been spread online.

In the complaint — seen by SBS News — the man's lawyers detail a number of posts on social media that they argue prove their client's details were accessed via PMKeyS.
Screenshot of an Instagram post.
A redacted screenshot of an Instagram post, which appears to show ex-ADF members boasting about accessing the PMKeyS system anonymously. Credit: Supplied
One shows an ex-ADF member encouraging others to access the alleged victim's details without their knowledge, and boasting they would not face punishment.

"First person to get me this persons PMKEYs file gets a massive merch pack ... If you are concerned about getting caught, don't be. Turns out JMPU (the military's police unit) can't find out who accesses peoples personal PMKEYs files," the post says.

"I know this because many of my good friends have had their pers[onnel] files leaked to the media."

A comment on the post shows another user confirming "PMKeyS only records if you ... change anything".
David Shoebridge wearing a suit and glasses
Greens senator David Shoebridge described the revelation as "gobsmacking". Source: AAP / Lukas Coch
Another post shows an account telling the man: "I read your file on PMKeys including the reporting from your platoon commander".

Other details allegedly posted on social media include the man's birth date, his employment since leaving the ADF, and the name of his partner.

The posts, and the page they were uploaded to, have since been deleted.

Under questioning in May, Robards said he was not aware of the posts. But he also insisted they did not prove personal information had actually been accessed or shared.

Defence later said it had not received any evidence related to the matter, but its legal wing had "received correspondence that details broad allegations of this conduct".
Richard Marles wearing a suit and pink tie and speaking inside. An Australian flag is in the background
Defence Minister Richard Marles did not answer multiple requests for comment. Source: AAP / Lukas Coch
The man's lawyer, Natalija Nikolic from XD Law, said she expected the government "to act swiftly to get its own house in order".

"It was jaw-dropping for us to see Defence confirm it does not maintain any records of who accesses extremely personal and confidential information of current and former Australian servicepeople," she said.

"Not only does it present a serious risk to privacy, it presents a serious risk to national security.

"Our client has feared for [the] personal safety of himself and that of his family. There has been real-world consequences. He has been made a target."

SBS News understands that a separate website, which has since been taken down, also contained personal records of veterans, which appeared to be obtained via PMKeyS.

Defence Minister Richard Marles did not answer multiple requests for comment.

Vulnerability sparks spying fears

Shoebridge said the system posed "very real personal risks" to those who spoke out about war crimes, with information being spread to "shame and humiliate" them.

But he claimed it also made Defence systemically vulnerable to foreign spies, with ADF members' whereabouts, service history, and personal circumstances able to be accessed without leaving a trace.

"That’s such an obvious security risk there. The fact it is not being managed, despite the billions and billions and billions going into Defence, is utterly astounding," he said.

"We've got a government that is happy to spend millions of dollars prosecuting whistleblowers. But [it's not spending] the money it needs to spend to make one of the most critical Defence databases secure, not from hacking, but from literally open slather access."
Clare O'Neil speaking at a press conference.
Home Affairs Minister Clare O’Neil says the government's cyber strategy will also focus on bolstering Commonwealth defences. Source: AAP / Lukas Coch
Last week Labor unveiled its $586 million cyber security strategy, with the federal government to partner with private companies to bolster Australia's cyber defences.

But Home Affairs Minister Clare O'Neil confirmed it will also focus on strengthening Commonwealth departments' resilience against hacking and ransomware attacks.

"As part of the 2023-2030 Australian Cyber Security Strategy, we have made it clear that we want government to hold itself to the same standard it imposes on industry," she said.

"We’re leading a government-wide cyber upgrade to shield the Commonwealth and the Australian Public Service from cyber attacks. We must embed cyber security in every layer of government with ongoing checks and balances.

"This strategy means tight cyber checks across all government departments – and no weak links in our digital armour. If it's digital and government-owned, then it must be locked down tight."

Share
6 min read
Published 1 December 2023 11:33am
Updated 1 December 2023 4:59pm
By Finn McHugh
Source: SBS News


Share this with family and friends