The data extracted included details about new fighter planes and navy vessels.
"While the Australian company is a national security-linked contractor and the information disclosed was commercially sensitive, it was unclassified".
At the moment, QinetiQ Australia has 350 specialist staff located across Australia who use their know-how to deliver value solutions to Australian defence and government organisations across air, land, sea and information domains as well as the rail and mining industries.
When asked about the incident on ABC RN Breakfast this morning, defence industry minister Christopher Pyne stressed that it was not military secrets stolen.
The Australian defence ministry is trying to downplay the 2016 hacking of a contractor that exposed data about Australia's Joint Strike Fighter programme.
Mr Clarke said the hack was "extensive and extreme" and took advantage of "sloppy" security at the contractor. The attacker had apparently gained and continued to have access for an extended period of time and the report says that the hacker "remained active on the network at the time". When BuzzFeed News sought a copy of the presentation directly from the department, a spokesperson for the Australian Cyber Security Centre provided a long response stating the data was not classified, without directly responding to the request.
According to Mitchell Clarke, the hacked company was rather small and was subcontracted four levels down from the defense contracts.
"I don't think you can try and sheet blame for a small enterprise having lax cyber security back to the Federal Government", he told RN Breakfast.
The admin password, to enter the company's web portal, was "admin" and the guest password was "guest".
"Fortunately, the data that was taken was commercial data, not military data, but it is still very serious and we will get to the bottom of it". "Breach detection times are not reducing and with it taking between 120 and 150 days to be identify a threat, organisations need a way to limit the damage in the meantime".
"Security thinking needs to change; organisations need to move away from the concept of owned and unowned networks or infrastructure and consider only users, applications and secure access - and the security industry must facilitate that shift".