It’s been a hell of a week for the Pentagon, which can’t seem to keep itself out of headlines recently. Now, it says it’s been hit by a cyber breach of Defense Department travel records that may have compromised the credit card data and other personal information of its workers.
A United States official with knowledge of the breach, who spoke with the Associated Press on the condition of anonymity while an investigation is underway, said that as many as 30,000 workers could have been affected.
Lt. Col. Joseph Buccino, a spokesman for the Pentagon, confirmed to Gizmodo in a statement by email that the Defense Department is investigating the hack, which he said occurred through a yet-unnamed contractor that maintained the department’s travel records.
“The Department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information (PII) of DoD personnel maintained by a single commercial vendor that provided travel management services to the Department,” he said. “This vendor was performing a small percentage of the overall travel management services of DoD.”
Buccino said that the Pentagon has begun notifying those whose information may have been compromised, adding that “the Department is assessing further remedial measures.”
The Associated Press press reported Friday that while the department’s cyber team flagged the hack to leadership on October 4, its source said it is possible the initial breach could have happened “some months ago.” And if some 30,000 affected parties sounds like a huge number, the AP’s source also said there’s a possibility that even more staffers could be found to be affected as the investigation into the cyber breach continues.
“We continue to assess the risk of harm and will ensure notifications are made to impacted personnel whose PII may have been compromised,” Buccino said.
As the Associated Press reported, this isn’t exactly new for the Defense Department, which it notes “has consistently said that its networks and systems are probed and attacked thousands of times a day.” Moreover, a report from the U.S. Government Accountability Office released just days ago said the Department of Defense had not until recently prioritized the safeguarding of its weapon cybersecurity and added that Defense officials the GAO met with were dismissive of findings.
“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report said. “In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations.”
Now may be a good time to reassess those security measures.