The United States’ Defence Information Systems Agency (DISA) has started notifying people that their personal information may have been compromised as a result of a data breach that occured in 2019.
DISA is a Department of Defense combat support agency that employs over 8,000 military and civilian personnel. According to its website, it “provides, operates, and assures command and control and information-sharing capabilities and a globally accessible enterprise information infrastructure in direct support to joint warfighters, national level leaders, and other mission and coalition partners across the full spectrum of military operations.”
Reuters, which first reported the news, said the agency is responsible for secure communications for President Donald Trump.
In letters sent out recently to affected individuals, DISA informed them that their personal information, including social security numbers, may have been compromised as a result of a data breach impacting a system hosted by the agency. The timeframe of the incident was May to July, 2019.
No information has been provided on the type of data breach — it’s unclear if it was a malicious hacker attack or a case of information exposure resulting from an unprotected server — or the number of affected individuals.
“The information compromised seems to be non-critical to the function of the DoD (although very personal and private to the people compromised) so it may have been an external database without the same level of controls as internal secret information,” Chris Morales, head of security analytics at Vectra, told SecurityWeek.
DISA says it has found no evidence to suggest that the potentially stolen information has been misused, but its policy requires it to notify individuals whose personal data may have been compromised.
The organization says it has implemented additional security measures to prevent such incidents in the future, and is offering free credit monitoring services to affected individuals.
The Pentagon has been running bug bounty programs for several of its branches in an effort to identify vulnerabilities before they can be exploited by malicious actors. The programs covered assets of the Air Force, the Army, and the Marine Corps. Over the past few years, participants reported thousands of vulnerabilities and earned hundreds of thousands of dollars for their findings.
UPDATE. Fifth Domain has learned from the Pentagon that the incident impacted roughly 200,000 users. In addition, the breach appears to have involved an attack launched by a malicious actor.