Written byChris Bing
A hacker broke into Navy systems last week and accessed the personal data of more 130,000 current and former U.S. Navy sailors, the service announced Wednesday.
“The Navy takes this incident extremely seriously — this is a matter of trust for our sailors,” said Chief of Naval Personnel Vice Adm. Robert Burke. “We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach.”
The attacker was reportedly able to break into the Navy’s IT infrastructure through a compromised laptop belonging to an employee of Hewlett Packard Enterprise Services, a supporting U.S.-based government tech and defense contractor.
The aforementioned HPES employee was reportedly working under a contract with the Navy for a program known as Career Waypoints, an internal job board platform used by sailors.
Affected servicemen and veterans are currently being notified of the breach by email, letter and phone. The Navy is now “reviewing credit-monitoring service options” for potential victims of the breach but at this stage in the investigation there is “no evidence to suggest misuse of the information,” a statement reads.
“This event has been reported to the Navy and because this is an ongoing investigation, HPE will not be commenting further out of respect for the privacy of Navy personnel,” HPES said in a statement.
An internal investigation has yet to uncover evidence that the compromised Navy personnel records — containing Social Security and other personal information — is being used for malicious purposes, according to the Navy Times.
It remains unclear exactly how the contractor’s laptop was hacked. Inquiries sent by CyberScoop to a Navy and HPES spokesperson have yet to be answered.
The Navy’s recent data breach illustrates the risks posed by third-party devices — brought in from outside channels — that rely upon the connectivity supplied by a secure network. Because third-party devices are typically also used in non-secure work environments independent of a specific contract, these devices are open to a host of different threats and additional attacks that would be normally stopped by security technologies implemented by a Department of Defense caliber network.