On October 27, 2016, an unknown person or persons of interest stole 134,386 names and social security numbers of US Navy sailors from a laptop of a contractor working for Hewlett Packard and under contract by the Navy. The exfiltrated data derives from the Career Waypoints database (C-WAY). The C-WAY database is used to for re-enlistment submission and request for Navy Occupational Specialties. The last time the Navy suffered a breach of this scale was when the Iranians hacked into unclassified Navy systems in 2014.
Hewlett Packard Enterprise services notified the Navy in October and the event was disclosed to the media and public on November 23. It is not clear how the information was exfiltrated, and who perpetrated the unauthorized access. Further, if this is a result of a specific attack, the information sought was very targeted and suggests at least a tenuous relationship with other data compromised as part of the OPM hack in June of 2015. Was this information accessed directly (physically) as a result of the contractor’s indiscretion? Or was the information accessed remotely via an existing vulnerability in the C-WAY database?
The Navy’s response to this incident in terms of its privacy obligations to its sailors seems tepid at best, reflecting a OPM type of resolution. Sailors are likely to be provided with a year of identity protection. What seems left out of most media reporting is a counter-intelligence plan and how the Navy expects to execute the plan respective to the hacked sailors. To this author’s knowledge, the NCIS (Navy Criminal Investigative Service) does not keep track of all the sailors or government and contractor personnel who have been hacked to determine if they have been approached by Hostile Intelligence and Security Services (HISS, formerly FISS). If true, it would be an egregious oversight to leave American sailors lost at sea when it comes to what to do when approached by HISS. In fact, this should be an excellent opportunity by the NCIS to predictively isolate and identify sailors that might be leads to adversarial efforts at asset recruitment.
Finally, this seems to be part of a continuing trend for the US government. To date, according to CyberRisk Analystics there have been 3484, and 2,917,352,918 records disclosed to date. According to Risk Based Security, as of October 2016 the business sector accounted for 49.26% of all breaches, followed by unknown at 24.1% and then government at 12.2%. In this event, it seems unclear whether this disclosure will be under business or government. However, it certainly seems to work in Uncle Sam’s favor if all “breaches” or “unauthorized access” incidents were in fact committed by the contractor’s it employs. According to reporting, this event was discovered and likely remediated by Hewlett Packard, leaving us to wonder why a component of US Navy Information Assurance did not identify this.
In summary, this breach was not handled in the worst way. It certainly was preventable (again) and it demonstrates at least our lack of cohesive response actions when our service members’ private information is stolen. Who is held accountable? The single contractor? The system that promotes government dependence on commercial development? The lack of risk propensity to pursue these perpetrators, seek attribution, and the reciprocate punitively? Unfortunately, it is not one answer, but rather more likely a combination of all three. For more information on information security and how to manage your own online and computational security visit the United States Computer Emergency Readiness Team’s site.
Featured image courtesy of CNBC.