The U.S. Department of Veterans Affairs (VA) disclosure that the information of 46,000 U.S. service people recently was breached through an apparent social engineering scheme underscores the need for government vigilance even when a significant investment has been made in state-of-the-art protection.
Security experts said the relatively low number of impacted accounts – in comparison the 2015 U.S. Office of Personnel Management (OPM) breach affected 21.2 million – suggested the VA’s internal monitoring might have quickly detected something was awry so the agency could mitigate before hackers tampered with far more records.
When contacted by SC, all that VA Press Secretary Christina Noel would say is “the VA’s independent inspector general is investigating this issue; and in order to protect the integrity of the investigation, VA can’t comment further.”
The government offered only sketchy details of the breach, saying only that unauthorized users exploited authentication protocols to change financial information and divert payments intended for community health care providers that treated veterans. The government is offering free credit monitoring services to affected veterans or their survivors.
What is not known is who was behind the attack, when it took place, whether it was successful (for instance, if hijacked payments were converted to bitcoins or some other bank account) or how long intruders might have been sitting in the network before the VA’s Financial Services Center (FSC) took the application offline and reported the tampering to the VA’s Privacy Office.
“While the VA does not comment on the timing of the incident, based on the relatively small scale of the breach we can assume this happened recently,” said Ilia Sotnikov, Netwrix vice president of product management.
Sotnikov urged the VA to review whether it’s taking every security step necessary to protect financial, as well as veterans’ sensitive personal and healthcare data. He advised limiting the number of users that have access to sensitive information and properly locking down account access with multiple layers of authentication.
“The federal government has a bigger responsibility to protect the systems they use to transact their business because the potential for damage is much higher,” commented Brandon Hoffman, CISO at Netenrich, noting that previous breaches of federal government systems have led to significant damage.
“The latitude given to federal agencies is also something that is worth discussing,” Hoffman said, criticizing the lack of a central policy governing security and data resiliency across the federal government at large.
Tim Wade, technical director of the CTO team at Vectra, also called for federal systems to rapidly modernize IT security capabilities. “Leadership at the top must take accountability, and cultural changes must occur, if we are to expect these patterns to abate,” he said, adding that “it is probably a relief to someone somewhere that this breach accounts for less than fifty thousand.”
Jumio CEO Robert Prigge suggested that government entities implement biometric authentication, using a person’s unique human traits to verify identity, as far more secure, as it cannot be bypassed through credential stuffing or social engineering techniques.