The US Department of Veteran Affairs has suffered a data breach, with the personal information of 46,000 veterans affected.
The Department of Veteran Affairs disclosed the breach yesterday, saying in a statement that “unauthorised users” had been able to access an online application managed by the VA Financial Services Center (FSC).
Currently, the department believes that unauthorised actors were able to change financial information in order to divert payments from Veteran Affairs to community health care providers for the medical treatment of veteran “using social engineering techniques and exploiting authentication protocols”.
It said that the FSC took the application offline, and will not put it back online until a comprehensive security review has taken place, and reported the breach to the Vetran Affairs Privacy Office.
The FSC is now alerting affected individuals of the Department of Veteran Affairs data breach, and will offer access to credit monitoring services to those whose social security numbers may have been included in the breach.
According to ZDNet, the Department of Veteran Affairs suffered a security breach in 2006, after a laptop and a harddrive containing the records of 26m veterans was stolen from an employee’s home.
Sam Curry, chief security officer at Cybereason described the hack as “disgusting”.
“Is there no longer honour among thieves? Their behaviour in this time of crisis is despicable and disgusting,” he said.
“Today, new security threats are surfacing on a regular basis and cyber crime groups are not only well funded but they are patient and persistent. If they have their sights set on one particular company or organisations, nothing will stop them from being successful. The defenders or good guys have to be right 100 percent of the time and that is a monumental task given the expanding digital footprint. From initial reports it looks like the VA is conducting a thorough investigation into this latest breach and that’s great news.
“For the VA, and all organisations, it is essential to implement around the clock threat hunting services and to take the fight to the cybercriminals. This approach will enable security teams to see attacks as they are happening allowing them to stop them. In addition, all organisations should regularly conduct security awareness training to help employees do their part to reduce risk. At a basic level, never open email attachments from unknown sources on any device, don’t visit dubious websites and never download content onto your device from sketchy sources.”