US Defense Agency Notifies Users of Serious Breach

Written by

A US government agency that provides secure communications to the White House has notified individuals of a data breach that may have compromised their personal information.

The Defense Information Systems Agency (DISA), which also provides IT support for the President, Vice-President, US Secret Service, Joint Chiefs of Staff and others, employs around 8000 military and civilian staff.

However, a letter from its CIO, Roger Greenwell, dated February 11, revealed that details including Social Security numbers may have been breached “on a system hosted by DISA.

“While there is no evidence to suggest that your PII was misused, DISA policy requires the agency to notify individuals whose personal data may have been compromised,” it continued.

There are few other details about the incident, such as which systems were affected, how and by whom. It is said to have taken place between May and July 2019.

It’s also unclear whether the incident affected just DISA employees or a wider base of users of its services. Some reports have speculated that as many as 200,000 could be involved.

The agency is offering free credit monitoring to those affected and said it has now put in place additional security measures “to prevent future incidents,” as well as adopting “new protocols” to improve protection of PII.

Chris Morales, head of security analytics at Vectra, argued that if a US defense agency can be compromised, then “anyone can.

“Every network is complex and human error is common regardless of the level of organization. The information compromised seems to be non-critical to the function of the DoD — although very personal and private to the people compromised — so it may have been an external database without the same level of controls as internal secret information,” he added.

“It is an unfortunate situation and another in a long list of breaches as we head into 2020. Organizations need to get better at how long it takes to be aware of a compromise and how quickly they can respond. Visibility into how systems are used is key.”

What’s hot on Infosecurity Magazine?