CNBC is reporting today that the Pentagon disclosed a cyber breach of Defense Department travel records that compromised the personal information and credit card data of up to 30,000 U.S. military and civilian personnel. IT security experts commented below.
Pravin Kothari, CEO at CipherCloud:
“In context, this breach at DOD is potentially part of a much larger campaign by several well-known nation-states to build out a comprehensive database on our civilian and military population, our businesses, and all of their activity from one end of the supply chain to the other. They are possibly collecting databases and information, and building cross-indexes to utilize all of this data. This is in addition to all of the other nefarious activities they attempt when breaching our online information technology assets. This activity won’t stop. In fact, left unchecked it will get worse. Increasing cybersecurity risk necessitates that we stop talking and start deploying known best practices that can afford some protection. These include end-to-end encryption of data, both in the cloud and on-premise, the use of two-factor authentication, network segmentation, and more.”
Michael Magrath, Director, Global Regulations & Standards at OneSpan, Inc.
“The sad truth is that many of the affected individuals in the DoD breach had been victimized in other large and small-scale breaches over the past few years, including 2015’s Office of Personnel Management breach that affected 21.5 million federal employees and contractors.
“The treasure trove of personally identifiable data on the Dark Web just continues to grow, enabling fraudsters and steal identities or create new, synthetic identities using a combination of real and made-up information, or entirely fictitious information. For example, the personal and credit card information obtained in the DoD breach could be crossed referenced with data obtained from the OPM breach and other widely publicized private sector breaches.
“Cyberattacks will continue and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk based fraud detection technologies in their organizations, but also make sure that all third party partners have equal cybersecurity measures in place.”