On October 27, 2016, an unknown person or persons of interest stole 134,386 names and social security numbers of US Navy sailors from a laptop of a contractor working for Hewlett Packard and under contract by the Navy. The exfiltrated data derives from the Career Waypoints database (C-WAY). The C-WAY database is used to for re-enlistment submission and request for Navy Occupational Specialties. The last time the Navy suffered a breach of this scale was when the Iranians hacked into unclassified Navy systems in 2014.
Hewlett Packard Enterprise services notified the Navy in October and the event was disclosed to the media and public on November 23. It is not clear how the information was exfiltrated, and who perpetrated the unauthorized access. Further, if this is a result of a specific attack, the information sought was very targeted and suggests at least a tenuous relationship with other data compromised as part of the OPM hack in June of 2015. Was this information accessed directly (physically) as a result of the contractor’s indiscretion? Or was the information accessed remotely via an existing vulnerability in the C-WAY database?
or Log In