The Navy said last week that sensitive personnel information, including names and Social Security numbers of 134,386 current and former sailors, was compromised and accessed by unknown individuals after a notebook from a contractor was breached.
The hacking, announced the day before Thanksgiving, highlights the ongoing cybersecurity challenges that federal agencies face, especially as they work with contractors. The breach demonstrates that agencies still must do more to enhance data protection and provide cybersecurity best practices to their IT workers and contracting partners.
Behind the Breach
The Navy said that on Oct. 27, Hewlett Packard Enterprise Services (HPES) notified them that that one of the company’s notebooks was reported as compromised. The notebook had been used by an HPES employee supporting a Navy contract.
Following an analysis by HPES and a continuing Naval Criminal Investigative Service investigation, the Navy said that it determined on Nov. 22 that sensitive information had been breached.
“The Navy takes this incident extremely seriously — this is a matter of trust for our sailors,” Vice Adm. Robert Burke, chief of naval personnel, said in a statement. “We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach.”
The Navy said it will notify those affected in the coming weeks by multiple means —including phone, letter and email — and is working to provide them with further details on what happened. Additionally, the Navy is reviewing credit monitoring service options for affected sailors. At this point, according to the Navy, there is no evidence to suggest that the information involved in the breach has been misused. It is also unclear which actors are behind the breach.
Citing an unnamed Navy official familiar with the investigation, Navy Times reported that the data came from the Career Waypoints database, known as C-WAY, which sailors use to submit re-enlistment and Navy Occupational Specialty requests.
The Importance of Data Security
The Navy breach is much smaller than the ones that affected the Office of Personnel Management in 2014. Those attacks — the full extent became public in the summer of 2015 and U.S. officials have attributed them to Chinese hackers — led to theft of personal information of 22.1 million current, former and potential federal employees.
“The security and privacy of our clients is a top priority for Hewlett Packard Enterprise (HPE),” Thomas Brandt, a spokesman for Hewlett Packard Enterprise, told ABC News in a statement. “This event has been reported to the Navy and because this is an ongoing investigation, HPE will not be commenting further out of respect for the privacy of our Navy personnel.”
It’s unclear if the notebook was accessed via a weak firewall or if the device itself was unencrypted and hacked. However, the breach highlights how important it is for all agencies, and military branches in particular, to invest in data protection — and insist that their contracting partners do so as well.
“This clearly shows how intricate the IT security landscape has become,” Ebba Blitz, CEO of encryption company Alertsec, said in a statement. “We not only need to protect our own IT, we also need to protect entities affiliated with us. Any third party that has access to sensitive data is posing a threat to an organization. This data must be protected.”
As Computer Weekly reports, the breach also highlights the fact that federal IT departments are reliant on third parties to ensure security for endpoints that are used to access internal systems and data, according to Jon Fielding, managing director for Europe at hardware-encrypted USB drive maker Apricorn.
“Most will deem direct access too risky, for reasons evidenced by the U.S. Navy breach, and block access altogether,” he said.
Agencies can give third parties secure hardware and trusted software images for the duration of a contract, but that can be very expensive. Agencies can also offer limited access through remote desktop browser plug-ins. Apricorn promotes secure images on USB drives. Yet other vendors, like VMware, argue in favor of virtualization technology to ensure security.