A “patch” to counter the vulnerability wasn’t created until January 24 this year.
The Powerforce database, which contains a range of sensitive information about ADF recruits, is managed by contractor ManpowerGroup.
The Australian Cyber Security Centre warned a number of government departments, including Defence, on December 24 last year about a potential software problem which could have made their systems vulnerable to attack.
As revealed by the ABC on Wednesday, Defence acknowledged a “potential security concern” but said an investigation found there was no evidence of data being stolen.
Department of Defence deputy secretary Justine Greig told Senate estimates the system was taken down on February 2 for 10 days, but was now back online.
“We were given an indication that there was potentially a security issue with an element of our defence recruiting network,” she said.
“The information that was passed to us was… there was a potential security issue. We were then advised the Australian Cyber Security Centre would do an assessment.”
Australian Signals Directorate chief Rachel Noble said there were concerns about the system being vulnerable to a “malicious actor” as a result of the issue with Citrix.
“We have no further information to understand whether anybody’s network has been a victim of that vulnerability or compromised in that way, only that we are seeing an attempt, perhaps, of someone accessing that network,” she said.
In a statement, ManpowerGroup said it was aware of a potential issue with the recruiting system which had required Defence to take elements of the network offline.
The company said all elements of the system had now been restored to full operations.
In recent years major hacks have been committed against Parliament’s computer network, the Australian National University and a Defence subcontractor.
China has been blamed for the hacks on Parliament and the ANU, but the Morrison government has decided not to name the culprits.
The ASD revealed it has responded to over 1275 cyber security incidents since July 1 last year, or more than five a day.
Over the same period, the ASD has received more than 36,000 reports of cyber crime, one every 10 minutes.
Anthony is foreign affairs and national security correspondent for The Sydney Morning Herald and The Age.