The US Department of Defense has begun to notify victims of this incident involving military and civilian personnel
The US Department of Defense has revealed that a security breach has exposed the travel records of at least 30k people, as reported by specialists in digital forensics from the International Institute of Cyber Security. “On October 4, the Department of Defense (DoD) identified an intrusion into information binding with DoD personnel requiring a notification to Congress”, said Lieutenant Colonel Joseph Buccino, a Pentagon spokesman, in a statement to various media.
“The DoD continues to collect additional information about the incident, which implies the possible compromise of this information from DoD personnel guarded by a single commercial provider who provided travel management services to this institution”, mentioned Lieutenant Colonel. “This supplier administered a small percentage of DoD general travel management Services”.
The incident, which seems to have affected about 30k military and civilian personnel, resulted in some of the personal information and payment card data being compromised, as reported by digital forensics experts working on the case. The Pentagon reports that its directors were informed about data breach on October 4, although it is not ruled out that the incident has started months ago.
The Pentagon also reports that it will not appoint the affected provider for security reasons and ongoing contracts. Lieutenant Colonel Buccino mentioned that the DoD has taken steps to terminate the contractual relationship of this company with the US government.
This incident has been revealed after the US General Accountability Office (GAO) warned that the DOD was lagging behind the issue of cybersecurity, jeopardizing the proper protection of US weapon controller systems.
The GAO has long insisted on information security deficiencies, which have been ignored or minimized in the absence of risk samples in real scenarios. “Although the GAO has warned about cyber risks for decades, until recently, the DoD gave no importance to the cybersecurity of weapons systems”, the GAO said in a statement.
Digital forensics experts believe that the problem in general is a poor approach to the system’s password security.
“Several weapons systems used commercial or open source software, but never changed the default password, allowing GAO researchers to search the Internet password and gain administrator privileges”, says the GAO.
Still, American military and intelligence agencies are not completely sure about how easy it would be for hackers to attack these systems in a real scenario. “The authors of the GAO report have been unable to distinguish between ‘exploitable remotely’ and ‘exploitable from the Internet’, those are two different things”, considers Jake Williams, an information security consultant.