Thought leadership. threat analysis, news and alerts.
Why the Pentagon Data Breach is a Wake-up Call for Better Screening of Third-party Vendors
On October 14 2018, news of a major data breach at the Pentagonhit the headlines.
This was a startling, even disturbing, reminder that even the most important, most secure institutions in the world are vulnerable when hackers identify a way into their systems. As the Department of Defense’s headquarters, the Pentagon plays a critical role in the United States military and national security: it oversees all aspects of the Air Force, Marines, Army, Coast Guard and Navy, ultimately helping to defend the country.
The very notion that a global symbol of security and power would fall prey to a data breach has surprised many,but it shouldn’t have. At a time when cyber-criminals continue to employ increasingly-sophisticated techniques to disrupt business and organizations of all kinds, this incident is proof positive that proper screening of third-party vendors is critical for effective cybersecurity.
What Data was Involved in The Pentagon Breach?
It’s believed as many as 30,000 employees’ travel records were compromised as a result of the data breach. This includes personal details and credit-card data pertaining to civilians and military personnel: all sensitive information that could have serious financial repercussions if acted upon.
The breach may have first occurred months before it was discovered, and it’s believed the actual number of people potentially affected could rise as the investigation continues. However, no classified information is said to have been compromised.
How Did the Pentagon Breach Happen?
The Pentagon breach was the result of workconducted by a ‘single commercial vendor’, delivering its service to a ‘very small percentage’ of the DoD’s employees. The vendor in question has remained anonymous and was, in the days after the announcement, still contracted to provide its services.
News of the breach struck after the U.S. Government Accountability Office confirmed that work had been undertaken to secure the Pentagon’s networks, though its weapons system security was under closer scrutiny. They claimed they face more and more challenges in keeping weapons systems secure, due to the rise of sophisticated cyber-crime tactics.
Pentagon personnel have faced similar issues before. A large attack on the federal Office of Personnel Managementin 2015 left the personal details of over 21 million individuals (including people at the Pentagon) compromised. As with this latest incident, the 2015 attack supposedly first occurred months before word of it reached the media.
Who was Responsible for The Pentagon Breach?
One or more attackers seized an opportunity to exploit the vendor’s access to the Pentagon’s network, ultimately stealing the travel records. Little else is known.
This incident, though, is a prime example of how ambitious (or, rather, brazen) cyber-criminals are in their choice of targets. While some may focus on distributing ransomware to small businesses in exchange for payment, others are clearly setting their sights a little higher.
The tools and technology available to such individuals empowers them to exploit weaknesses in even those systems that should be the most airtight in the world. While the exact circumstances surrounding the vulnerability created by the vendor remain secret, it’s no doubt the company responsible is determined to avoid such an oversight happening again.
It’s also highly likely that the vendor has a strong reputation and valuable experience to have even secured the contract with the Department of Defense in the first place.
This entire incident demonstrates why it’s so vital for businesses and organizations of all sizes, in all sectors, to perform thorough screening of any vendors they intend to work with.
Screening Vendors, Protecting Your Business
No business or organization should ever start working with a vendor without checking their credentials and their background.
Simply settling on the first firm on your radar may not deliver the results you expect — and any mistakes or general incompetence on their part could have major repercussions. You might not have data pertaining to thousands or even millions of civilians in your records, but you could still be risking your customers’ and employees’ privacy by choosing a sub-par team.
If a data breach were to rock your company or organization, the damage could be extensive. First and foremost, those customers whose details have been compromised would be incredibly unlikely to keep working with you in the future.
Fast, effective action can help to minimize the fallout and keep their finances safe from unauthorized access, but their perception of your brand would still be soured.
Your reputation would be affected too, making it more difficult to build trust with new customers or affiliates. That’s not to mention the sheer disruption a breach could cause to your everyday operations, leaving you unable to deliver the services your customers expect for hours, days or longer.
This equates to a potential loss of business and, sadly, income.
Undertaking effective, in-depth screening of your vendors is the smart choice.
Look into any reviews you can find online to learn more about the quality of service previous clients have received. Did they perform as required? Did they use the right processes and achieve the goals they set out to with respect for the client’s security needs?
You may consider approaching some of these clients to get a deeper insight into their experience.
Make sure to speak with prospective vendors at length, to get a better idea of how they work, what security measures they take to safeguard systems against breaches and more. You can only ask so many questions and ask for so many examples of their prior work before making your decision but doing your research will help ensure the safest choice for your business or organization.
At The Driz Group, we’re committed to helping our clients stay protected and compliant, minimizing the risk of cyber-attacks using the latest, automated third-party screening technologies. Want to learn more about what we can do for you? Just get in touch!
Steve E. Driz, I.S.P., ITCP