The alleged compromise of a highly confidential document from the Department of Defence was no accident, an insider says.
The document was allegedly stolen after a Defence official emailed the document to their home account, ABC's Four Corners reported.
Malware residing on the official's home computer then exfiltrated the document to servers in China, the TV program claimed.
A Four Corners source said Defence was a "victim of its own bad practices as much as the efforts of the hacking fraternity".
However, a Department of Defence source told SC a person stealing a classified document would need to deliberately circumvent security controls, and it was not possible to accidentally email the file to an external address.
“The idea that a highly classified document was emailed out is probably total bullsh*t,” the source said.
“The officer would have had to have gone through and edited the document to remove keywords. There are a lot of safeguards to stop Wikileaks-type scenarios.”
Security controls were in place at Defence to prevent sensitive documents from being copied off the network. Such documents were marked classified and were protected by data leak prevention (DLP) which searched for words and phrases that would prevent accidental or deliberate loss of sensitive information.
But DLP systems could be infamously porous and required significant fine tuning to work effectively.
Heightened state of risk
It comes as ASIO chief David Irvine said the new department headquarters was secure despite reports blueprints for the building had been compromised.
The head of the country's domestic security agency said it was frustrating that he could not verify the ABC reports due to national security concerns.
Four Corners revealed through anonymous sources that the blueprints included details on the building's security systems, communications networks and server room locations.
Attorney General Mark Dreyfus said the building would not be redesigned as suggested by sources in the ABC program. They said ASIO would alternatively need to accept a heightened state of risk.