Cyber Incident Victim: Ministry of Defence
Date:
Mar 2022
Location:
United Kingdom
Summary
The UK Ministry of Defence suspended its Capita-operated military recruitment system following a cyber intrusion that compromised applicant data, prompting precautionary measures including system shutdowns and a shift to paper-based processing. An unauthorized group accessed and offered for sale personal details of approximately 125 to 150 prospective recruits on the dark web, though the full scope of the breach and intrusion methods remained under investigation. While affected individuals were notified, the incident had not been formally reported to the national data watchdog at the time of disclosure, exacerbating operational disruptions to recruitment services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 14, 2022, the UK Ministry of Defence was informed that a group of hackers had compromised data within the Capita-operated Defence Recruitment System (DRS) and intended to release British Army applicant information on the dark web. The DRS managed online applications and support services for Army recruitment. In response to this breach notification, the Army took precautionary measures by shutting down both its career website and the DRS on March 16. While the career website was later restored, online application and support functionalities remained offline due to unresolved technical issues, forcing recruitment personnel to revert to paper-based systems under a declared cyber emergency designated Operation Rhodes. The MoD and Capita initiated investigations to determine the attack's origin, scope, and methodology, though the precise entry point remained unidentified at the time of reporting. The compromised system interfaced with critical MoD platforms including the Joint Personnel Administration system and the Training and Finance Management Information System, raising concerns about potential lateral movement within MoD networks.
The attackers exfiltrated data belonging to an estimated 125 to 150 recruitment candidates, with one source alleging 125 records were offered for sale on the dark web for 1 Bitcoin (approximately $42,733). The MoD directly notified affected individuals about the breach but had not formally reported the incident to the Information Commissioner's Office by March 24. Despite the relatively limited volume of exposed data, the incident caused significant operational disruption to Army recruitment processes and reputational damage to both the MoD and Capita, which prominently markets its defense and security expertise. Forensic efforts continued to assess whether the DRS breach served as the initial intrusion vector and to evaluate potential compromises of interconnected MoD systems. Recruitment services remained partially degraded, with applicants directed to telephone support channels while digital systems underwent remediation.