Breach Notification , Cybercrime , Cyberwarfare / Nation-State Attacks

Pentagon Travel Provider Data Breach Counts 30,000 Victims

Department of Defense Has Begun Notifying Military and Civilian Breach Victims
Pentagon Travel Provider Data Breach Counts 30,000 Victims
The Pentagon, headquarters of the U.S. Department of Defense, in Arlington, Virginia (Photo: Touch of Light, via Flickr/CC)

The U.S. Department of Defense is warning that a data breach has exposed travel records for at least 30,000 personnel.

See Also: How to Build Your Cyber Recovery Playbook

"On Oct. 4, the Department of Defense identified a breach of personally identifiable information of DoD personnel that requires congressional notification," Lt. Col. Joseph Buccino, a Pentagon spokesman, tells Information Security Media Group.

"The department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information of DoD personnel maintained by a single commercial vendor that provided travel management services to the department," he says. "This vendor was performing a small percentage of the overall travel management services of DOD."

The breach, which appears to have affected 30,000 military and civilian personnel, resulted in some of their personal information and payment card data being compromised, the Associated Press first reported.

The Pentagon says its leadership was informed about the breach on Oct. 4 by one of the department's cybersecurity teams. AP reports that the breach may have begun months prior.

Buccino says that the Pentagon will not name the vendor that suffered the breach, due to security concerns and ongoing contracts. But he tells AP that the Defense Department "has taken steps to have the vendor cease performance under its contracts."

The Defense Department says it has begun directly notifying all breach victims. The department is offering victims prepaid identity theft monitoring services, AP reports.

"The Department is continuing to assess the risk of harm," Buccino tells ISMG. "While additional information about this incident is being gathered, the department is assessing further remedial measures."

Weapons Cybersecurity Alert

The warning about the Pentagon travel-service-provider's breach follows the U.S. General Accountability Office on Tuesday warning that the Defense Department's approach to the cybersecurity of its weapon systems was lagging. It issued a report, "Weapon Systems Cybersecurity: DoD Just Beginning to Grapple with Scale of Vulnerabilities."

The review was driven by the U.S. military having "plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems," GAO says in its report summary.

For too long, however, GAO says that for U.S. weapon system developers, cybersecurity has been an afterthought, and that projects for which information security deficiencies get identified have too often been ignored or downplayed as not having arisen from realistic potential attack scenarios.

"Although GAO and others have warned of cyber risks for decades, until recently, DoD did not prioritize weapon systems cybersecurity," GAO says, while noting that the military has belatedly been getting its act together. "Finally, DoD is still determining how best to address weapon systems cybersecurity."

Embedded software and IT systems are pervasive in weapon systems, as represented by this fictitious weapon system. (Source: GAO)

Even so, GAO says that penetration testing reports that it reviewed found that weapons could be subverted. "Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications," GAO says. "In addition, vulnerabilities that DoD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats."

One example: A report showed that testers were able to guess the administrator password for a weapon system in just 9 seconds, although GAO notes that this speed isn't a useful metric, because it doesn't distinguish between guessing or the use of highly automated attack tools.

Password Security Deficit

The bigger-picture problem, however, is a poor approach to password security, it says.

"Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software," GAO says. "Multiple test teams reported using free, publicly available information or software downloaded from the internet to avoid or defeat weapon system security controls."

But one report caveat voiced by Jake Williams, a former member of the U.S. National Security Agency's hacking unit who now runs security consultancy Rendition Infosec in Augusta, Georgia, is that it's not clear how easy it might be for cyberattackers to access various weapon systems.

"The GAO report authors have failed to distinguish between 'remotely exploitable' and 'exploitable from the internet,'" Williams says in a recent SANS Institute email newsletter. "These are two very different things."

It's not clear whether this omission was intentional or if "the data to clarify what was meant by 'remote access' simply wasn't available" in the reports reviewed by GAO, Williams says. "While many weapon systems are remotely exploitable, this can only be done from a privileged position in the network - one which usually requires physical access."

Attack Detection: OPM Case Study

Another problem for Defense Department weapon systems noted in the GAO report was detecting when an attack was occurring or may have occurred.

"A common way to detect cyber activity is to review logs of system activity looking for unusual occurrences," GAO says. "Multiple test reports indicated that test team activity was documented in system logs, but operators did not review them. One test report noted that the system had no documented procedures for reviewing logs.

As an example of what can happen when administrators are not actively looking for attacks, GAO referenced the biggest known U.S. government data breach to date: the cyberattack against the Office of Personnel Management that started in December 2014 that wasn't detected until April 2015. "Attackers exfiltrated personnel files of 4.2 million government employees, security clearance background information on 21 million individuals and fingerprint data of 5.6 million of these individuals," GAO says (see Stolen OPM Fingerprints: What's the Risk?).

"Attackers used a contractor's OPM credentials to log into the OPM system, installed malware, and created a backdoor to the network. These attackers were in OPM's networks for at least 14 months. Over 2,000 pieces of malware were later identified on OPM devices."

The breach also led to the resignation of the independent agency's director (see Analysis: Why the OPM Breach Is So Bad).

Many security experts suggested that the OPM breach was commissioned by or performed on behalf of Chinese intelligence agencies. China, however, blamed criminals (see Cybercrime Groups and Nation-State Attackers Blur Together).

Last year, the FBI arrested Yu Pingan, a Chinese national, on charges that he was a "malware broker" who distributed a remote-access Trojan called Sakula that has been tied to multiple mega-breaches, including attacks against OPM as well as health insurer Anthem, which exposed personal information for 80 million individuals in the United States.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.