The Australian Signals Directorate (ASD), an intelligence agency, this week revealed details of a data breach at a defence subcontractor which started in July last year.

The hack was not detected until November. The government described the information stolen – about Australia’s warplanes and navy ships – as “commercially sensitive” but not classified.

The details were released through the technology news website ZDNet on Wednesday. ASD revealed that the subcontractor, a small firm employing about 50 people, was using software that hadn’t been updated for 12 months as well as default username-password combinations, “admin-admin” and “guest-guest”.

ASD said access was initially gained by exploiting a 12-month-old vulnerability in the company’s IT Helpdesk Portal, which was mounting the company’s file server using the Domain Administrator account.

Lateral movement using those same credentials eventually gave the attacker access to the domain controller and the remote desktop server, and to email and other sensitive information.

The incident was flagged on Tuesday by the minister for cyber security, Dan Tehan. It has been reported that a hacking tool known as the “Chinese Chopper” was used.

Information Age reported a comment on the news by Stephen Burke, founder and CEO at Cyber Risk Aware, who said: “Yet again another example of “IT Admin” not carrying out IT Security best practices but more importantly other large firms not carrying out adequate third-party risk assessments.

“One IT admin who had only been in the job 9 months speaks for itself and if the large company had carried out a valid third party risk assessment in the first place they would not have sent the data at all.”