View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 16, 2018

Third-Party Vendor Leaves U.S. DoD and the Pentagon Open to Attack

"Disclosure of the information would be likely to increase the risk of a cyber-attack against IT capability, computer networks and communication devices”

By CBR Staff Writer

The Pentagon is investigating a cyber incident after the records of 30,000 U.S military and civilian workers were compromised by threat actors in a breach of the US Department of Defense (DoD) systems.

According to Pentagon statements to the Associated Press (AP) an internal cyber-security team discovered the breach on October 4.

They found that the personal information and credit card details stored in travel records of DoD workers had been stolen.

Speaking to AP, Pentagon spokesman Lt. Col. Joseph Buccino commented: “The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel.”

The weak link within their systems appears to have involved a third party vendor, although due to the on-going investigation and security concerns the Pentagon has declined to name the vendor. They  commented through Lt. Col. Buccino that it: “Has taken steps to have the vendor cease performance under its contracts.”

DoD Cyber-Security Concerns

It’s a bad month for DoD cybersecurity teams, with it earlier reported by the US Government Accountability Office that advanced weapon systems were been developed by the DoD that contained major cybersecurity vulnerabilities.

The report found that: “In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Read More: US Advanced Weapons Systems have Ridiculously Weak Cyber-Security

Another test team discovered that it could emulated a denial of service attack by rebooting the systems, which resulted in the system not being able to carry out its stated mission for a period of time.

When viewing the incident: “41 Operators reported that they did not suspect a cyber attack because unexplained crashes were normal for the system.”

Pentagon Breach

The Pentagon breach follows reports that the UK’s Ministry of Defence was itself exposed to 37 cybersecurity incidents last year.

In heavily redacted reports obtained by Sky News it was alleged that critical security information was located in vulnerable systems that could be accessed by foreign states’ surveillance or threat actors.

The MoD commented to Sky News that to disclose any further information other than that the breaches exist would: “Provide potential adversaries with valuable intelligence on MoD’s and our industry partners’ ability to identify incidents and react to trends.”

“Disclosure of the information would be likely to increase the risk of a cyber-attack against IT capability, computer networks and communication devices.”

It was also reported that some peripheral devices had not been scanned as part of cybersecurity due diligence and yet were found to be connected to systems containing classified information.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.