The US Department of Defense is dealing with a breach of its travel records that exposed at least 30,000 military and civilian personnel, according to a Pentagon spokesman on the October 12th. The breach resulted in some of their personal information and payment card data being compromised.
“On Oct. 4, the Department of Defense identified a breach of personally identifiable information of DoD personnel that requires congressional notification,” Lt. Col. Joseph Buccino said.
“The department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information of DoD personnel maintained by a single commercial vendor that provided travel management services to the department,” he says. “This vendor was performing a small percentage of the overall travel management services of DOD.”
The vendor will not be identified due to security reasons, according to Buccino. However, the department “has taken steps to have the vendor cease performance under its contracts.”
The disclosure of the breach comes, following a federal report on October 9th. It concluded that military weapons programs are vulnerable to cyberattacks and the Pentagon has been slow to protect the systems. As reported by AP, the US Government Accountability Office in its October 9th report said the Pentagon has worked to ensure its networks are secure, but only recently began to focus more on its weapons systems security. The audit, conducted between September 2017 and October 2018, found that there are “mounting challenges in protecting its weapons systems from increasingly sophisticated cyber threats.”
The bigger-picture problem, however, is a poor approach to password security, according to the report.
“Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software,” the report says. “Multiple test teams reported using free, publicly available information or software downloaded from the internet to avoid or defeat weapon system security controls.”
This breach also is similar to a number of other breaches that have hit federal government agencies, exposing health data, personal information, and social security numbers in recent years.
One of the larger recent breaches involved a fitness tracking app called Strava, which gave away locations of secret US army bases in November 2017. The fitness tracking company revealed sensitive information about the location and staffing of military bases and spy outposts around the world.
Strava unknowingly released a data visualization map that shows all the activity tracked by users of its app, which allows people to record their exercise and share it with others. The map was released in November 2017. Several days after it was released, military analysts noticed that the map is also detailed enough that it potentially gives away extremely sensitive information about a subset of Strava users: military personnel on active service.
Nathan Ruser, an analyst with the Institute for United Conflict Analysts said that the heatmap “looks very pretty,” but is bad for security operations. “US Bases are clearly identifiable and mappable.”
“In Syria, known coalition (i.e. US) bases light up the night,” writes analyst Tobias Schneider. “Some light markers over known Russian positions, no notable colouring for Iranian bases … A lot of people are going to have to sit through lectures come Monday morning.”
Even earlier, in 2015 a massive hack of the federal office of Personnel Management compromised personal information of more than 21 million current, former and prospective federal employees, including those in the Pentagon. The incident was blamed on China, however there was no evidence. Also that year, hackers breached into the email system used by the Joint Chiefs of Staff, affecting several thousand military and civilian workers.
The Department of Defense has repeatedly and consistently claimed that its networks and systems come under attack thousands of times every single day.
We can all appreciate the frankness in this instance, but this particular leak is probably just a criminal incident rather than an espionage incident. Also, let’s not jump to conclusions about cyber-security because a lot of people have a tendency to assume that literally anything is hackable. The DoD is saying there’s a certain gap that is being plugged where certain things can be hacked but frankly no one has any idea how our cyber-security compares to other states.