Personal Information and Credit Card Data of 30,000 U.S. Military and Civilian Personnel Breached

CNBC reported today, “The Pentagon says there has been a cyber breach of Defence Department travel records that compromised the personal information and credit card data of U.S. military and civilian personnel.  A U.S. official familiar with the matter says the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.”

To keep you, our readers, informed on this fast-breaking story we have provided comments about the incident from several cybersecurity experts.

Tom Garrubba, Sr. Director/CISO, The Santa Fe Group:
“This appears to continue on a disturbing trend – regardless of industry – of organizations putting more emphasis (i.e., controls) in protecting customer, cardholder, and intellectual property data and not placing the same rigor or controls to protect their most valuable asset: the personal data of their employees. As organizations increase the outsourcing of human resource activities it becomes more evident that the same care be applied to any third party who will be exposed to such data.”
 Adam Laub, Senior Vice President, Product Marketing, STEALTHbits Technologies
“On the heels of the GAO’s report earlier this month stating “nearly all of the Pentagon’s weapons systems are vulnerable to cyberattacks“, it should probably come as no surprise that the DoD’s cybersecurity woes aren’t isolated to only it’s most critical systems and infrastructure.  That said, the Pentagon is no different than virtually any other government agency and even many private institutions, as they all face the same challenges in recruiting and retaining the talent needed to operate effective cybersecurity programs.  When you don’t have the right people or enough people, following best practices and plugging vulnerabilities is a pipe dream.  The harsh reality is that the day-to-day lives of the people charged with defending our credentials and data are consumed by constant firefighting and merely keeping the walls up, let alone the gates closed.”
Tim Bedard, Director, Security Product Marketing, OneSpan:
“New day, same old story – US government agency compromised by poor third-party contractor security. While this is a new cyber breach headline, the underlying root causes are not. Why? Because US contractors are forced to comply with different security requirements in their contracts across multiple different agencies. This, in turn, often leads to multiple, conflicting security mandates. Combined with poor cyber hygiene like compromised or weak user credentials and unpatched software, the vast majority of these data breaches could be preventable. So how do we address this growing issue?
“A good first step was recently announced – that all Federal and state employees responsible for running government websites will soon have to use two-factor authentication to access their administrator accounts, adding a layer of security to prevent intruders from taking over dot-gov domains. With the Department of Justice, State and Defense adding a two-factor authentication to their accounts, this is the latest move by the federal government to boost the security of its websites and databases, which continue to face cyber threats. 
“To further improve the government’s security posture, new standard security requirement for all US agencies needs to be put in place. A new standard security policy for two-factor authentication for all US contractors would remove the burden of supporting multiple different security requirements, eliminate conflicting security mandates while reducing the risk of another third-party contractor security breach in the US government.”
Pravin Kothari, CEO of cloud security vendor CipherCloud:
“In context, this breach at DOD is potentially part of a much larger campaign by several well-known nation-states to build out a comprehensive database on our civilian and military population, our businesses, and all of their activity from one end of the supply chain to the other. They are possibly collecting databases and information, and building cross-indexes to utilize all of this data. This is in addition to all of the other nefarious activities they attempt when breaching our online information technology assets. 
“This activity won’t stop. In fact, left unchecked it will get worse. “>Increasing cybersecurity risk necessitates that we stop talking and start deploying known best practices that can afford some protection. These include end-to-end encryption of data, both in the cloud and on-premise, the use of two-factor authentication, network segmentation, and more.”

The official says no classified information was compromised. The Pentagon was informed of the breach on October 4, 2018.

By: Steven Bowcut, CPP, PSP, Brilliance Security Magazine Editor-in-Chief