GUEST ESSAY: Supply chain vulnerabilities play out in latest Pentagon personnel records breach

By Michael Magrath

It is disheartening, but not at all surprising, that hackers continue to pull off successful breaches of well-defended U.S. government strategic systems.

Related podcast: Cyber attacks on critical systems have only just begun

On Friday, Oct. 12, the Pentagon disclosed that intruders breached Defense Department travel records and compromised the personal information and credit card data of U.S. military and civilian personnel.

The Associated Press, quoting a U.S. official familiar with the matter, reported that the breach could have happened months ago, but was only recently discovered. At this juncture, as many as 30,000 federal employees are known to have been victimized, but that number may grow as the investigation continues.

The Pentagon has since issued a statement conceding that a department cyber team informed leaders about the breach on Oct. 4. Pentagon spokesman Lt. Col. Joseph Buccino now says that DoD continues to gather information on the size and scope of the hack, and is attempting to identify the culprits.

It does appear that this is another example of attacks successfully penetrating a weak supply chain link, underscoring the importance of addressing third-party risks.

Third-party risk

Buccino disclosed that authorities are examining a “breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel.


The sad truth is that many of the affected individuals in the DoD breach had been victimized in other large and small-scale breaches over the past few years, including 2015’s Office of Personnel Management catastrophe.

You’ll recall that in the OPM breach, the cyber intruders stole a a staggering amount of highly sensitive information – deep personnel records for 21.5 million federal employees and contractors. In that caper, criminals got away with Social Security numbers, passwords, and in some cases, fingerprints. The OPM breach put most federal workers since the year 2000 are at risk.

Then in August 2017, the FBI arrested a Chinese national suspected of helping to create the malware used in the OPM breach. It will be interesting to see if there is a nation-state tie-in to this latest attack.


It’s not as if big government agencies and most enterprises aren’t making an effort to stop breaches. After all, Gartner forecasts worldwide information security spending will top $124 billion in 2019.

Yet, despite this expenditure of resources and good intentions, the treasure trove of personally identifiable data on the Dark Web just continues to grow, enabling fraudsters and steal identities or create new, synthetic identities using a combination of real and made-up information, or entirely fictitious information.

For example, the personal and credit card information obtained in the DoD breach could be crossed referenced with data obtained from the OPM breach and other widely publicized private sector breaches.

Cyberattacks will continue and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk based fraud detection technologies in their organizations, but also make sure that all third party partners have equal cybersecurity measures in place.

About the essayist: Michael Magrath is  Director, Global Regulations & Standards, OneSpan, Inc.

(Editor’s note: LW has supplied consulting services to OneSpan.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone