Over 25,000 US government employees warned about ‘data breach incident’, read what the letter says |


The US government is reportedly notifying more than 26,000 current and former employees, job applicants and partners about a cybersecurity incident. The Pentagon reportedly mentioned that their sensitive personal information may have been exposed online in a “data breach incident” which was first detected in early 2023.
In a notice by the Defense Intelligence Agency sent to a Defense Department official (seen by DefenseScoop), the US government has encouraged them to sign up for government-provided identity theft protection services as a result of the exposure.

Read what the letter says

The document read: “This letter is to notify you of a data breach incident that may have resulted in a breach of your personally identifiable information (PII). During the period of February 3, 2023 through February 20, 2023, numerous email messages were inadvertently exposed to the Internet by a [DOD] service provider. Unfortunately, some of these email messages contained PII associated with individuals employed by or supporting the DOD, or individuals seeking employment with the DOD. While there is no evidence to suggest that your PII was misused, the department is notifying those individuals whose PII may have been breached as a result of this unfortunate situation.”
PII refers to any data that can be used to distinguish or trace someone’s identity. This includes information like addresses, Social Security numbers, credit card info and biometric records.

What the Pentagon has to say about the incident

In a statement a Pentagon spokesperson said, “there were over 20,600 individuals affected. As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure.”

However, the spokesperson didn’t confirm the service provider that was involved or when the department first started informing people that their data may have been exposed more than a year ago.

“DOD continues to engage with the service provider on improving cyber event prevention and detection. Notification to affected individuals is ongoing,” the spokesperson added.
In the letter mailed to possible victims of the data breach, the DIA also noted that in the aftermath of the event, the department has worked with the service provider to understand what happened and mitigate future risks. This includes modifying procedures and putting additional capabilities for anomaly detection and alerts into place.
“This incident involved multiple department organisations. Each organisation reviewed the affected information to determine whether their personal data was part of the exposure. Following this analysis, a small portion of data from multiple organisations required a secondary review for validation of identities of affected individuals and contact information. This overall assessment process took several months. DOD obtained an Identity Protection Services contract for the affected individuals of these organisations. The contract was awarded in September 2023 and each affected organisation has been working actively with the contractor to notify the affected individuals,” the spokesperson noted.


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *