Pentagon official said on Friday that the Department of Defense had suffered a security breach thanks to a third-party contractor.
An investigation is still underway, so the exact details haven't been made public, but according to an Associated Press report, a DOD official said that roughly 30,000 DOD military and civilian personnel are believed to be affected. This number is expected to grow as the Pentagon's investigation continues.
The official said the breach was discovered on October 4, last week. An attacker (or multiple attackers) appear to have compromised a third-party contractor and used the vendor's access to the Pentagon network to steal travel data for DOD personnel.
The Pentagon said attackers made off with both payment card data and personal information. The DOD did not reveal the contractor's name to AP reporters, citing the ongoing investigation.
"The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel," DOD officials responded via a statement.
The DOD said it plans to notify all impacted personnel in the coming days, and also provide free fraud protection services, in concordance with US legislation.
Lt. Col. Joseph Buccino, a Pentagon spokesman, said the DOD "has taken steps to have the vendor cease performance under its contracts," although the vendor remains under contract.
A Gemalto report released this week said that 4,553,172,708 records had been stolen in the first six months of the year, with an estimated 6,947,320 records stolen every day.
Also: North Korea is likely underwriting cyberattacks by mining Monero TechRepublic
The Pentagon's card breach disclosure comes after a Government Accountability Office (GAO) report, also published this week, concluded that the Pentagon's upcoming next-generation weapons systems are very easy to hack due to improper cyber-security protections.
- DOJ explains recent wave of cyber-espionage-related indictments
- Google forcibly enables G Suite alerts for government-backed attacks
- DHS aware of ongoing APT attacks on cloud service providers
- Twitter bans distribution of hacked materials ahead of US midterm elections
- Microsoft's efforts for a Digital Geneva Convention get underway
- UK Conservative Party conference app leaks MPs' personal details
- US government rolls out 2-step verification for .gov domain owners