Cyber Incident Victim: London, United Kingdom
Date:
Mar 2022
Location:
United Kingdom
Summary
A supply chain cyberattack targeting the UK Ministry of Defence's third-party-managed recruitment system compromised personal data of 124 new recruits, including names, birthdates, addresses, qualifications, employment history, and family information, which was subsequently offered for sale on the dark web. The breach forced the army's recruitment portal offline for over a month, prompting an urgent security review. Analysis indicated opportunistic hackers likely exploited weak or stolen credentials via phishing, characterizing the incident as low-sophistication but highlighting rising supply chain risks. The Information Commissioner's Office assessed the breach but required no additional action.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 16, 2022, the UK Ministry of Defence (MoD) experienced a cyberattack targeting its Defence Recruitment System (DRS), an army recruitment portal managed by outsourcing contractor Capita. The breach resulted in the theft of personal data belonging to 124 new recruits, including full names, dates of birth, addresses, educational qualifications, previous employment details, and family information. Attackers compromised the system through credential masquerading, exploiting either a leaked password, weak authentication controls, or credentials stolen via phishing. This supply chain attack leveraged Capita’s third-party access to the recruitment portal, which analysts confirmed was not connected to core military networks. The DRS was forced offline immediately following the breach and remained inaccessible for over a month during forensic investigations. Stolen recruit data subsequently appeared for sale on dark web marketplaces, with potential buyers including entities seeking to create fraudulent identities.
The MoD initiated an investigation and announced an urgent review of its IT security protocols in response to the incident. Armed Forces Minister James Heappey publicly acknowledged the breach reflected inadequacies in the department’s cybersecurity posture, particularly regarding third-party systems. While the Information Commissioner’s Office assessed the incident, it determined no regulatory action was necessary. Security analysts attributed the attack to opportunistic cybercriminals rather than state-sponsored actors, citing the monetization of data and low technical sophistication as distinguishing factors. The incident underscored systemic vulnerabilities in supply chain security, with attackers targeting weaker third-party infrastructure to bypass the MoD’s primary defenses. Operational impacts included prolonged disruption to military recruitment activities and exposure of sensitive personal information with potential long-term risks to affected individuals.