Breach Notification , Governance & Risk Management , Incident & Breach Response
Defense Department Agency Reports Data BreachDefense Information Systems Agency Has a Security Mission
A U.S. Defense Department agency that's responsible for providing secure communications and IT equipment for the president and other top government officials says a data breach of one of its systems may have exposed personal data, including Social Security numbers.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The Defense Information Systems Agency, or DISA, is issuing notification letters to individuals who may be affected. While Defense Department officials did not provide specifics about the data breach, such as when it happened or how many individuals may have been affected, the notification letter refers to a data breach of a system hosted by the agency.
"While there is no evidence to suggest that any of the potentially compromised [personally identifiable information] was misused, DISA policy requires the agency to notify individuals whose personal data may have been compromised," Chuck Prichard, a DISA spokesperson, tells Information Security Media Group. "Individuals possibly affected by this incident will receive letters containing initial notification of the situation. They will subsequently receive additional correspondence with information about actions that can be taken to mitigate possible negative impacts."
Some of those who received the DISA notification letter have posted it online. The notification states: "During the May to July 2019 timeframe, some of your personal information, including your Social Security number, may have been compromised in a data breach on a system hosted by the Defense Information Systems Agency."
The letter also states that the agency is taking new security measures to help prevent future incidents and is offering those potentially affected free credit monitoring services.
Awesome. Got another #PII #breach letter from DoD. Is this like pokemon where I want to catch them all? pic.twitter.com/TNOvEQwkO4— Andy Piazza (@klrgrz) February 18, 2020
DISA in the Spotlight
DISA, based in Fort Meade, Maryland, employs about 1,600 active-duty U.S. military personnel and 7,000 civilian workers, according to its website.
The agency's main purpose is to provide secure IT and communications equipment to President Donald Trump, Vice President Mike Pence, the defense secretary and other government and military officials, according to the website.
In addition, DISA was directed in 2015 to revamp some of the government's security policies following a breach at the U.S. Office of Personnel Management, where more than 20 million records were compromised, according to Reuters. In the last month, U.S. Attorney General William Barr has tied the breaches at the Office of Personnel Management, Equifax and others to Chinese hackers (see: 4 in Chinese Army Charged With Breaching Equifax).
The breach at DISA, a security organization, points to the need for all organizations in all sectors to do more to protect personally identifiable data, says Terence Jackson, CISO of security firm Thycotic.
"Doubling down on the fundamentals, such as patching, network segmentation, two-factor authentication and enforcing and managing least privilege, can aid in reducing the attack surface, but we also have to make sure our [staff members] are trained and encouraged to minimize risky cyber behavior," Jackson tells ISMG.
Other DoD Security Issues
Over the years, other Defense Department units have been called out by government watchdogs and others for poor security practices.
In August, for example, an audit by the Defense Department's Office of the Inspector General noted that despite national security concerns, the Pentagon had purchased thousands of computers, printers and security cameras, as well as networking equipment, that contained known cybersecurity vulnerabilities (see: Pentagon Buys Equipment With Known Vulnerabilities: Audit).
Managing Editor Scott Ferguson contributed to this report.