The U.S. Department of Defense confirmed on Friday that personal information and credit card data of some 30,000 U.S. military and civilian personnel have been compromised in a breach affecting a DoD’s third-party contractor.
Apparently, no classified information was accessed by the attackers.
What is known about the breach
The Associated Press cited an unnamed U.S. official who says that the breach might end up involving the information of more than 30,000 workers, but that the investigation is still ongoing.
Later, Pentagon spokesman Lt. Col. Joseph Buccino confirmed that they still don’t know the extent of the compromise and who the attackers are.
But, he pointed out that “this was a breach of a single commercial vendor that provided service to a very small percentage of the total population” of DoD personnel.
The breach was recently discovered but it’s still unknown how long the attacker had access to the information and to the third party vendor’s systems. DoD leaders were informed about it by a department cyber team on October 4.
Those affected will soon be notified directly by the DoD, and will be provided with fraud protection services, Buccino added.
He also said they won’t be naming the vendor due to security reasons, but that the DoD “has taken steps to have the vendor cease performance under its contracts.” He did not say whether that’s only a temporary cessation.
The scope of this breach pales in comparison with the 2014/2015 breach of the US Office of Personnel Management’s (OPM) network when all kinds of sensitive information about current and former US federal government employees (including those in the DoD) was compromised.
The disclosure of this latest breach comes just days after the U.S. Government Accountability Office released a report saying that the DoD is doing an extremely poor job when it comes to securing weapon systems against cyber attackers.
“The testers found embarrassing, elementary screw-ups of the sort that would get a middle school computer lab administrator in trouble, to say nothing of someone safeguarding lethal weapon systems,” the Intercept reported.
SOURCE: Help Net Security