[BreachExchange] Pentagon data breach exposed travel data for 30, 000 individuals

Destry Winant destry at riskbasedsecurity.com
Thu Oct 18 11:01:06 EDT 2018


The Department of Defense said a Pentagon data breach exposed travel
records for approximately 30,000 military and civilian personnel, but
the investigation is still in progress.

A Pentagon data breach exposed travel records for approximately 30,000
civilian and military personnel. And experts said this information
could be dangerous for victims if it's combined with data from
previous government breaches.

The Department of Defense (DOD) announced the Pentagon data breach,
but details were scarce. A spokesperson for the Pentagon said travel
records -- including personal information and credit card data -- for
about 30,000 individuals were involved, but that number may not be
final. The incident was discovered on Oct. 4, but the DOD could not
say when the breach occurred.

Lt. Col. Joseph Buccino, a Pentagon spokesman, confirmed the breach to
the Associated Press, which first reported the incident. He described
the attack as "a breach of a single commercial vendor that provided
service to a very small percentage of the total population."

Buccino said the Pentagon data breach required the agency to disclose
to Congress, but he added that the investigation is still in progress.

Michael Magrath, director of global regulations and standards at
OneSpan, based in Chicago, said it was likely that many of the
individuals affected by the Pentagon data breach may have also "been
victimized in other large- and small-scale breaches over the past few
years, including 2015's Office of Personnel Management (OPM) breach
that affected 21.5 million federal employees and contractors."

"The treasure-trove of personally identifiable data on the dark web
just continues to grow, enabling fraudsters to steal identities or
create new, synthetic identities using a combination of real and
made-up information, or entirely fictitious information," Magrath
wrote via email. "For example, the personal and credit card
information obtained in the DOD breach could be cross-referenced with
data obtained from the OPM breach and other widely publicized
private-sector breaches."

Pravin Kothari, CEO at cloud security vendor CipherCloud, based in San
Jose, Calif., agreed the Pentagon data breach could potentially be
"part of a much larger campaign by several well-known nation states to
build out a comprehensive database on our civilian and military
population, our businesses and all of their activity from one end of
the supply chain to the other."

"They are possibly collecting databases and information and building
cross-indexes to utilize all of this data," Kothari wrote via email.
"This is in addition to all of the other nefarious activities they
attempt when breaching our online information technology assets."

"This activity won't stop. In fact, left unchecked it will get worse.
Increasing cybersecurity risk necessitates that we stop talking and
start deploying known best practices that can afford some protection,"
Kothari continued. "These include end-to-end encryption of data --
both in the cloud and on premises -- the use of two-factor
authentication, network segmentation and more."

More information about the BreachExchange mailing list