'Gobsmacking': The gaping hole leaving info on Australian soldiers open to hackers
Defence has admitted to what a sitting senator calls a "gobsmacking" hole in its online security.
Defence cannot trace who has accessed the private details of Australian soldiers stored in its database, amid allegations it has been used to "shame and humiliate" servicepeople who publicly discussed alleged war crimes in Afghanistan.
The revelation has also sparked fears that foreign spies could abuse "literally open slather access" to Defence's Personal Management Keys System (PMKeyS), which holds the details of more than 10,000 current and former service people.
Defence officials have said they cannot monitor who accesses the system — which is online but only open to defence personnel — but claim they were unaware that ex-Australian Defence Force (ADF) members have boasted about using it to spread details of colleagues who spoke out about alleged war crimes in Afghanistan.
Speaking to Senate estimates in May, Defence chief data integration officer Paul Robards confirmed the department could only log who had altered records in the database.
"We can't tell if they've viewed records," he said.
Defence secretary Greg Moriarty then conceded he would need to "consult with colleagues about the integrity of the system".
Greens senator David Shoebridge, whose questioning led to the revelation, described the vulnerability as "gobsmacking" and demanded urgent action.
"If this was a bank — and they allowed anybody in the bank to access people's financial records, download them, share them without any tracing mechanisms — the Privacy Commissioner would come down on them like a ton of bricks," he told SBS News.
"It'd be a scandal."
Veteran claims details accessed after discussing war crimes
Posts circulating on social media appear to show that some former servicemen have taken advantage of the vulnerability.
One veteran, who has publicly discussed alleged Australian war crimes in Afghanistan, has lodged a complaint with the Australian Information Commissioner over the system, claiming his personal information has been spread online.
In the complaint — seen by SBS News — the man's lawyers detail a number of posts on social media that they argue prove their client's details were accessed via PMKeyS.
A redacted screenshot of an Instagram post, which appears to show ex-ADF members boasting about accessing the PMKeyS system anonymously. Credit: Supplied
One shows an ex-ADF member encouraging others to access the alleged victim's details without their knowledge, and boasting they would not face punishment.
"First person to get me this persons PMKEYs file gets a massive merch pack ... If you are concerned about getting caught, don't be. Turns out JMPU (the military's police unit) can't find out who accesses peoples personal PMKEYs files," the post says.
"I know this because many of my good friends have had their pers[onnel] files leaked to the media."
A comment on the post shows another user confirming "PMKeyS only records if you ... change anything".
Another post shows an account telling the man: "I read your file on PMKeys including the reporting from your platoon commander".
Other details allegedly posted on social media include the man's birth date, his employment since leaving the ADF, and the name of his partner.
The posts, and the page they were uploaded to, have since been deleted.
Under questioning in May, Robards said he was not aware of the posts. But he also insisted they did not prove personal information had actually been accessed or shared.
Defence later said it had not received any evidence related to the matter, but its legal wing had "received correspondence that details broad allegations of this conduct".
The man's lawyer, Natalija Nikolic from XD Law, said she expected the government "to act swiftly to get its own house in order".
"It was jaw-dropping for us to see Defence confirm it does not maintain any records of who accesses extremely personal and confidential information of current and former Australian servicepeople," she said.
"Not only does it present a serious risk to privacy, it presents a serious risk to national security.
"Our client has feared for [the] personal safety of himself and that of his family. There has been real-world consequences. He has been made a target."
SBS News understands that a separate website, which has since been taken down, also contained personal records of veterans, which appeared to be obtained via PMKeyS.
Defence Minister Richard Marles did not answer multiple requests for comment.
Vulnerability sparks spying fears
Shoebridge said the system posed "very real personal risks" to those who spoke out about war crimes, with information being spread to "shame and humiliate" them.
But he claimed it also made Defence systemically vulnerable to foreign spies, with ADF members' whereabouts, service history, and personal circumstances able to be accessed without leaving a trace.
"That’s such an obvious security risk there. The fact it is not being managed, despite the billions and billions and billions going into Defence, is utterly astounding," he said.
"We've got a government that is happy to spend millions of dollars prosecuting whistleblowers. But [it's not spending] the money it needs to spend to make one of the most critical Defence databases secure, not from hacking, but from literally open slather access."
Last week Labor unveiled its $586 million cyber security strategy, with the federal government to partner with private companies to bolster Australia's cyber defences.
But Home Affairs Minister Clare O'Neil confirmed it will also focus on strengthening Commonwealth departments' resilience against hacking and ransomware attacks.
"As part of the 2023-2030 Australian Cyber Security Strategy, we have made it clear that we want government to hold itself to the same standard it imposes on industry," she said.
"We’re leading a government-wide cyber upgrade to shield the Commonwealth and the Australian Public Service from cyber attacks. We must embed cyber security in every layer of government with ongoing checks and balances.
"This strategy means tight cyber checks across all government departments – and no weak links in our digital armour. If it's digital and government-owned, then it must be locked down tight."