The argument that this matters holds water. If you can steal the identities of all the applicants then, in particular, you can steal the identities of the successful ones.
GCHQ, along with various other agencies, out-source some of their recruitment, mainly to sift. Perhaps you could steal the identities of the candidates who had passed the initial few sifts...but I really doubt that things like developed vetting status are going through this system.
