The U.S. Department of Defense (DoD) is sending letters to service members notifying them that their personal information may have been compromised by hackers who breached a computer network managed by the Defense Information Systems Agency (DISA).
Up to 200,000 people may have been affected by the breach, although there is currently no proof that any of the data has been abused or sold on the black market.
Several recipients of the letters told NBC News on Friday that they were given no information about the scale of the data breach, how it was accomplished, or who perpetrated it:
“I’m an Army vet and government contractor so my info is in a lot of systems maintained by DISA,” Andy Piazza, who also posted his copy of the letter to Twitter, said in an online chat. “No idea the system nor the scale.”
“I have no idea what breach this is associated with,” said retired Air Force Gen. Brett Williams, former director of operations at U.S. Cyber Command, who posted his letter to LinkedIn and spoke with NBC News through the platform.
“Just thought it was interesting to post to demonstrate the lame approach so many people take to handling successful cyber attacks,” Williams said. “Hopefully no ‘for profit’ company would think this is an acceptable response.”
[…]
Phil Waldron, a retired Army veteran who also received a letter, said DISA holds sensitive information about service members.
“DISA is the hub of everything communications, so it’s huge,” Waldron said via a messaging app. “Everybody’s unclassified email runs through DISA.”
The letters were dated February 11 and said the DISA system “may have been compromised” between May and July of 2019. Recipients were advised that their Social Security Numbers might have been among the information exposed by the breach and were offered free credit monitoring services.
The letters suggested following guidelines provided by the Federal Trade Commission to avoid identity theft and place fraud alerts with the three major credit reporting agencies.
“We recommend reviewing online accounts and enabling security features, such as multi-factor authentication, wherever possible,” DISA advised.
Reuters observed that DISA also “provides direct telecommunications and IT support for the president, Vice President Mike Pence, their staff, the U.S. Secret Service, the chairman of the Joint Chiefs of Staff and other senior members of the armed forces.” The agency has not suggested that any of these services were compromised.
In a further ironic twist, Reuters noted DISA was involved in improving security after the gigantic hacker attack on the Office of Personnel Management in 2014 and 2015, the “Cyber Pearl Harbor” breach attributed to China that compromised personal data on some 21 million U.S. government employees and contractors.
“This is the second data breach the DOD has disclosed in the last two years. In October 2018, more than 30,000 DOD military and civilian personnel had their personal and payment card details exposed via a security breach at a third-party contractor,” ZDNet recalled.