Pentagon Travel Provider Data Breach Counts 30,000 VictimsDepartment of Defense Has Begun Notifying Military and Civilian Breach Victims
The U.S. Department of Defense is warning that a data breach has exposed travel records for at least 30,000 personnel.
"On Oct. 4, the Department of Defense identified a breach of personally identifiable information of DoD personnel that requires congressional notification," Lt. Col. Joseph Buccino, a Pentagon spokesman, tells Information Security Media Group.
"The department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information of DoD personnel maintained by a single commercial vendor that provided travel management services to the department," he says. "This vendor was performing a small percentage of the overall travel management services of DOD."
The breach, which appears to have affected 30,000 military and civilian personnel, resulted in some of their personal information and payment card data being compromised, the Associated Press first reported.
The Pentagon says its leadership was informed about the breach on Oct. 4 by one of the department's cybersecurity teams. AP reports that the breach may have begun months prior.
Buccino says that the Pentagon will not name the vendor that suffered the breach, due to security concerns and ongoing contracts. But he tells AP that the Defense Department "has taken steps to have the vendor cease performance under its contracts."
The Defense Department says it has begun directly notifying all breach victims. The department is offering victims prepaid identity theft monitoring services, AP reports.
"The Department is continuing to assess the risk of harm," Buccino tells ISMG. "While additional information about this incident is being gathered, the department is assessing further remedial measures."
Weapons Cybersecurity Alert
The warning about the Pentagon travel-service-provider's breach follows the U.S. General Accountability Office on Tuesday warning that the Defense Department's approach to the cybersecurity of its weapon systems was lagging. It issued a report, "Weapon Systems Cybersecurity: DoD Just Beginning to Grapple with Scale of Vulnerabilities."
The review was driven by the U.S. military having "plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems," GAO says in its report summary.
For too long, however, GAO says that for U.S. weapon system developers, cybersecurity has been an afterthought, and that projects for which information security deficiencies get identified have too often been ignored or downplayed as not having arisen from realistic potential attack scenarios.
"Although GAO and others have warned of cyber risks for decades, until recently, DoD did not prioritize weapon systems cybersecurity," GAO says, while noting that the military has belatedly been getting its act together. "Finally, DoD is still determining how best to address weapon systems cybersecurity."
Even so, GAO says that penetration testing reports that it reviewed found that weapons could be subverted. "Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications," GAO says. "In addition, vulnerabilities that DoD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats."
One example: A report showed that testers were able to guess the administrator password for a weapon system in just 9 seconds, although GAO notes that this speed isn't a useful metric, because it doesn't distinguish between guessing or the use of highly automated attack tools.
Password Security Deficit
The bigger-picture problem, however, is a poor approach to password security, it says.
"Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software," GAO says. "Multiple test teams reported using free, publicly available information or software downloaded from the internet to avoid or defeat weapon system security controls."
But one report caveat voiced by Jake Williams, a former member of the U.S. National Security Agency's hacking unit who now runs security consultancy Rendition Infosec in Augusta, Georgia, is that it's not clear how easy it might be for cyberattackers to access various weapon systems.
"The GAO report authors have failed to distinguish between 'remotely exploitable' and 'exploitable from the internet,'" Williams says in a recent SANS Institute email newsletter. "These are two very different things."
It's not clear whether this omission was intentional or if "the data to clarify what was meant by 'remote access' simply wasn't available" in the reports reviewed by GAO, Williams says. "While many weapon systems are remotely exploitable, this can only be done from a privileged position in the network - one which usually requires physical access."
Attack Detection: OPM Case Study
Another problem for Defense Department weapon systems noted in the GAO report was detecting when an attack was occurring or may have occurred.
"A common way to detect cyber activity is to review logs of system activity looking for unusual occurrences," GAO says. "Multiple test reports indicated that test team activity was documented in system logs, but operators did not review them. One test report noted that the system had no documented procedures for reviewing logs.
As an example of what can happen when administrators are not actively looking for attacks, GAO referenced the biggest known U.S. government data breach to date: the cyberattack against the Office of Personnel Management that started in December 2014 that wasn't detected until April 2015. "Attackers exfiltrated personnel files of 4.2 million government employees, security clearance background information on 21 million individuals and fingerprint data of 5.6 million of these individuals," GAO says (see Stolen OPM Fingerprints: What's the Risk?).
"Attackers used a contractor's OPM credentials to log into the OPM system, installed malware, and created a backdoor to the network. These attackers were in OPM's networks for at least 14 months. Over 2,000 pieces of malware were later identified on OPM devices."
Many security experts suggested that the OPM breach was commissioned by or performed on behalf of Chinese intelligence agencies. China, however, blamed criminals (see Cybercrime Groups and Nation-State Attackers Blur Together).
Last year, the FBI arrested Yu Pingan, a Chinese national, on charges that he was a "malware broker" who distributed a remote-access Trojan called Sakula that has been tied to multiple mega-breaches, including attacks against OPM as well as health insurer Anthem, which exposed personal information for 80 million individuals in the United States.