[BreachExchange] Major data breach at Marine Forces Reserve impacts thousands

Destry Winant destry at riskbasedsecurity.com
Wed Feb 28 21:12:16 EST 2018


The personal information of thousands of Marines, sailors and
civilians, including bank account numbers, was compromised in a major
data spillage emanating from U.S. Marine Corps Forces Reserve.

Roughly 21,426 people were impacted when an unencrypted email with an
attachment containing personal confidential information was sent to
the wrong email distribution list Monday morning.

The compromised attachment included highly sensitive data such as
truncated social security numbers, bank electronic funds transfer and
bank routing numbers, truncated credit card information, mailing
address, residential address and emergency contact information, Maj.
Andrew Aranda, spokesman for Marine Forces Reserve said in a command

That email was a roster sent out by the Defense Travel System, or DTS,
Marine Corps Times has learned. DTS is a Defense Department system
that assists military and civilian defense personnel with travel
itineraries and settling expenses from official authorized trips.

“It was very quickly noticed and email recall procedures were
implemented to reduce the number of accounts that received it,” Aranda

The email containing the data was sent within the usmc.mil official
unclassified Marine domain, but also to some civilian accounts.

Personal information can be used by criminals or entities to steal
identities, commit bank and credit fraud, or phishing schemes.

In 2015, ISIS posted a ‘kill list’ of 41 Marines and sailors based on
information it pulled from publicly accessible online forums and
social media accounts.

The Marines are still analyzing the extent of the spread of the
sensitive data and plan to implement future changes to better
safeguard personally identifiable information. But Aranda said he
believed “no malicious intent was involved.”

However analyzing the full impact could prove to be a Sisyphean task.
Once the data moves outside of the Marine domain there’s no telling
how far it could spread.

The Corps plans to notify those affected by the breach and provide
guidance on ways to safeguard from identity theft.

“The Marine Corps takes the protection of individual Marines’ private
information and personal data very seriously, and we have steps in
place to prevent the accidental or intentional release of such
information,” Aranda said.

More information about the BreachExchange mailing list