Pentagon Employee Data Breach, An Eye-Opener
Pentagon, the center of defense of the world’s only superpower: The United States of America embarrassingly admitted that the organization is one of the latest victims of a security breach, affecting the personal and financial information of its employees. This came from a system handled by a 3rd party contractor, not directly managed by the agency itself. The Department of Defense which occupies the Pentagon’s iconic building is a huge organization in itself, employing 1.3 million uniformed personnel and 742,000 civilian employees, 30,000 of which are allegedly affected by the data breach.
The Department of Defense has not yet disclosed the name of the 3rd party contractor which the agency has refused to name as of this time. “On Oct. 4, the Department of Defense identified a breach of personally identifiable information of DOD personnel that requires congressional notification. The department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information (PII) of DOD personnel maintained by a single commercial vendor that provided travel management services to the department. This vendor was performing a small percentage of the overall travel management services of DOD,” Lt. Col. Joseph Buccino, Pentagon’s spokesperson.
The agency has refused to reveal how long the security hole has existed which was made the breach possible, but they informed the public that the breach was announced to the agency’s leadership last Oct 4 by the internal IT team. “(DOD) has taken steps to have the vendor cease performance under its contracts. The Department is continuing to assess the risk of harm. While additional information about this incident is being gathered, the department is assessing further remedial measures,” Buccino further explained.
The breach happened at the wake of the newly released report about Cybersecurity of the Weapon Systems, detailing the very status of the Pentagon as a highly vulnerable agency to hacking. “Although GAO and others have warned of cyber risks for decades, until recently, DOD did not prioritize weapon systems cybersecurity. Finally, DOD is still determining how best to address weapon systems cybersecurity. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats,” explained the U.S. General Accountability Office.
The hacking of the Pentagon is an eye-opener for the agency, as the Department of Defense is the primary responsibility for securing military weapons. “Multiple weapon systems used commercial or open source software but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the internet to avoid or defeat weapon system security controls,” GAO spokesperson added.
Julia Sowells463 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.