Military

Sailors’ personally identifiable information stolen by Ricky Ninja

On October 27, 2016, an unknown person or persons of interest stole 134,386 names and social security numbers of US Navy sailors from a laptop of a contractor working for Hewlett Packard and under contract by the Navy. The exfiltrated data derives from the Career Waypoints database (C-WAY). The C-WAY database is used to for re-enlistment submission and request for Navy Occupational Specialties. The last time the Navy suffered a breach of this scale was when the Iranians hacked into unclassified Navy systems in 2014.

Hewlett Packard Enterprise services notified the Navy in October and the event was disclosed to the media and public on November 23. It is not clear how the information was exfiltrated, and who perpetrated the unauthorized access. Further, if this is a result of a specific attack, the information sought was very targeted and suggests at least a tenuous relationship with other data compromised as part of the OPM hack in June of 2015. Was this information accessed directly (physically) as a result of the contractor’s indiscretion? Or was the information accessed remotely via an existing vulnerability in the C-WAY database?

The Navy’s response to this incident in terms of its privacy obligations to its sailors seems tepid at best, reflecting a OPM type of resolution. Sailors are likely to be provided with a year of identity protection. What seems left out of most media reporting is a counter-intelligence plan and how the Navy expects to execute the plan respective to the hacked sailors. To this author’s knowledge, the NCIS (Navy Criminal Investigative Service) does not keep track of all the sailors or government and contractor personnel who have been hacked to determine if they have been approached by Hostile Intelligence and Security Services (HISS, formerly FISS). If true, it would be an egregious oversight to leave American sailors lost at sea when it comes to what to do when approached by HISS. In fact, this should be an excellent opportunity by the NCIS to predictively isolate and identify sailors that might be leads to adversarial efforts at asset recruitment.

You've reached your daily free article limit.

Subscribe and support our veteran writing staff to continue reading.

Get Full Ad-Free Access For Just $0.50/Week

Enjoy unlimited digital access to our Military Culture, Defense, and Foreign Policy coverage content and support a veteran owned business. Already a subscriber?

On October 27, 2016, an unknown person or persons of interest stole 134,386 names and social security numbers of US Navy sailors from a laptop of a contractor working for Hewlett Packard and under contract by the Navy. The exfiltrated data derives from the Career Waypoints database (C-WAY). The C-WAY database is used to for re-enlistment submission and request for Navy Occupational Specialties. The last time the Navy suffered a breach of this scale was when the Iranians hacked into unclassified Navy systems in 2014.

Hewlett Packard Enterprise services notified the Navy in October and the event was disclosed to the media and public on November 23. It is not clear how the information was exfiltrated, and who perpetrated the unauthorized access. Further, if this is a result of a specific attack, the information sought was very targeted and suggests at least a tenuous relationship with other data compromised as part of the OPM hack in June of 2015. Was this information accessed directly (physically) as a result of the contractor’s indiscretion? Or was the information accessed remotely via an existing vulnerability in the C-WAY database?

The Navy’s response to this incident in terms of its privacy obligations to its sailors seems tepid at best, reflecting a OPM type of resolution. Sailors are likely to be provided with a year of identity protection. What seems left out of most media reporting is a counter-intelligence plan and how the Navy expects to execute the plan respective to the hacked sailors. To this author’s knowledge, the NCIS (Navy Criminal Investigative Service) does not keep track of all the sailors or government and contractor personnel who have been hacked to determine if they have been approached by Hostile Intelligence and Security Services (HISS, formerly FISS). If true, it would be an egregious oversight to leave American sailors lost at sea when it comes to what to do when approached by HISS. In fact, this should be an excellent opportunity by the NCIS to predictively isolate and identify sailors that might be leads to adversarial efforts at asset recruitment.

Finally, this seems to be part of a continuing trend for the US government. To date, according to CyberRisk Analystics there have been 3484, and 2,917,352,918 records disclosed to date. According to Risk Based Security, as of October 2016 the business sector accounted for 49.26% of all breaches, followed by unknown at 24.1% and then government at 12.2%. In this event, it seems unclear whether this disclosure will be under business or government. However, it certainly seems to work in Uncle Sam’s favor if all “breaches” or “unauthorized access” incidents were in fact committed by the contractor’s it employs. According to reporting, this event was discovered and likely remediated by Hewlett Packard, leaving us to wonder why a component of US Navy Information Assurance did not identify this.

In summary, this breach was not handled in the worst way. It certainly was preventable (again) and it demonstrates at least our lack of cohesive response actions when our service members’ private information is stolen. Who is held accountable? The single contractor? The system that promotes government dependence on commercial development? The lack of risk propensity to pursue these perpetrators, seek attribution, and the reciprocate punitively? Unfortunately, it is not one answer, but rather more likely a combination of all three. For more information on information security and how to manage your own online and computational security visit the United States Computer Emergency Readiness Team’s site.

Featured image courtesy of CNBC.

Slavin, Eric. “Names, Data of More than 134,000 Sailors Compromised.” US Military. Stars and Stripes. Accessed November 27, 2016. http://www.military.com/daily-news/2016/11/24/names-data-more-134-000-sailors-compromised-contractor-breach.html.
“CyberRiskAnalytics.” Accessed November 27, 2016. https://www.cyberriskanalytics.com/#statistics.
“Iranian Hacking of Navy Computers Reportedly More Extensive than First Thought.” Text.Article. FoxNews.com, February 18, 2014. http://www.foxnews.com/politics/2014/02/18/iranian-hacking-navy-computers-reportedly-more-extensive-than-first-thought.html.
Larter, David. “Personal Data for More than 130,000 Sailors Was Breached, Navy Says.” US MIlitary. Navy Times. Accessed November 27, 2016. https://www.navytimes.com/articles/data-breach-exposes-more-than-100-000-sailors-information.
Risk Based Security. “2016 Q3 Data Breach Quickview Report.” Information Security. Risk Based Security. Accessed November 27, 2016. https://pages.riskbasedsecurity.com/2016-q3-data-breach-year-in-review.
About Coriolanus View All Posts

Coriolanus's background is as an all source fusion intelligence analyst. He currently works as a hybrid intelligence analyst and security engineer. He has worked in the intel industry for over ten years and specializes in DoD joint intelligence analysis, counter terrorism, joint targeting, and cyber information operations, among others. Coriolanus has worked at the tactical, operational, and strategic levels of war working for special mission

COMMENTS

You must become a subscriber or login to view or post comments on this article.

More from SOFREP

REAL EXPERTS.
REAL NEWS.

Join SOFREP for insider access and analysis.

TRY 14 DAYS FREE

Already a subscriber? Log In