Breach Notification , Data Breach
Breach Traces to 'Compromised' Hewlett Packard Enterprise Services Laptop Credit: Petty Officer 3rd Class Sean M. Castellano, U.S. Navy (Flickr/CC)The U.S. Navy is set to begin notifying more than 130,000 current and former sailors that their personal information was exposed in a data breach and "accessed by unknown individuals."
See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short
The Navy says it first learned of the breach on Oct. 27, when Hewlett Packard Enterprise Services warned that a laptop issued to one of its employees - supporting a contract between HPES and the Navy - "was reported as compromised."
Hewlett Packard Enterprise didn't immediately respond to a request to provide more information about the breach or the circumstances surrounding the loss of the laptop.
But the Navy says that an investigation conducted by HPES and the Naval Criminal Investigative Service concluded Nov. 22 that "sensitive information, including the names and Social Security numbers (SSNs) of 134,386 current and former sailors, were accessed by unknown individuals."
The NCIS investigation is continuing.
"The Navy takes this incident extremely seriously - this is a matter of trust for our sailors," Chief of Naval Personnel Vice Adm. Robert Burke says in a statement. "We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach."
Compromised: Career Database
The lost data related to the Career Waypoints database, known as C-WAY, which sailors use to submit requests to reenlist as well as requests relating to the Navy Occupational Specialty, which catalogs skills and primary jobs, Navy Times reports.
In what may have been an attempt to downplay the incident, the Navy first announced the news of the breach just after 5 p.m. Eastern Time on Nov. 23, the day before Thanksgiving.
Despite the information having been accessed by "unknown individuals," to date the NCIS investigation has found "no evidence to suggest misuse of the information that was compromised," the Navy says.
Identity Theft Concerns
But stolen Social Security numbers are often fodder for identity thieves. On that front, the Navy says it's "reviewing credit monitoring service options for affected sailors" and that it plans to alert breach victims "in the coming weeks by multiple means including phone, letter and email."
Many security experts, however, advise breached organizations to avoid sending data breach notifications to breach victims via email, given the ease with which attackers can imitate such notifications to launch social engineering attacks, thus potentially compounding breach victims' problems.
Redux: Navy Breach Tied to HP
This isn't the first Navy database breach to involve Hewlett Packard, which in October 2014 split into Hewlett Packard Enterprise, a technology infrastructure, software and services company; and HP Inc., a personal systems and printing company.
In March 2014, the Navy reported that after discovering that the Navy Marine Corps Intranet network - its unclassified administrative network - had been breached, it took four months to eliminate attackers' access to systems and lock them down, at a cost of $10 million. The intranet was maintained by HP, as part of a contract that was awarded to HP in 2000 and renewed in 2010, The Wall Street Journal reported.
HP had referred to the Navy Marine Corps Intranet as "the world's largest and most secure intranet."
U.S. officials blamed the intranet intrusion on Iran.
But multiple security experts said the real breach culprit was poor contract oversight by the Navy, noting that no provision was in place to ensure that HP not only administered the intranet, but kept it secure, The Wall Street Journal reported. Due to that oversight failure, it reported, no one was ensuring that Microsoft SQL databases were being kept updated, which allowed attackers to launch a SQL injection attack via the Navy's public-facing website and then gain access to the unprotected databases.