Question to the Ministry of Defence:
To ask the Secretary of State for Defence, what assessment he has made of the security of the defence recruitment system following the recent data breach.
The Defence Recruiting System (DRS) has been reconnected to the MOD Core Network (MCN) and Recruiting Group (RG) staff are able to process candidates. The Internet Candidate Portal (ICP) will be operational once requisite system updates have been completed. This will ensure sufficient hardening and testing of DRS is undertaken prior to reconnection of the ICP. The Army continues to recruit and load-to-train candidates under a Business Continuity Plan in a limited fashion whilst the ICP is non-operational.
An investigation by a National Cyber Security Centre-Assured Provider of Cyber Incident Response services found no evidence of system compromise that would allow for exfiltration of candidate data from inside DRS itself. It is likely that initial access to the Internet Candidate Portal was purchased from the Dark Web using credentials (username and password) stolen from the potential candidates themselves.