The Department of Veterans Affairs notified veterans Monday morning of a data breach that resulted in the exposure of 46,000 veterans’ personal information.
The breach appears to have stemmed from unauthorized users accessing an application within the Financial Service Center (FSC) to steal payment away from community health care providers.
The VA said malicious actors used “social engineering techniques” and exploited “authentication protocols” to gain access to the system. Affected veterans have been notified with information on how to protect themselves given the breach, the department said.
“A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA,” a press release states. “To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology.”
The faulty applications used to gain access to the FSC system and alter information to falsely receive payments have been taken offline and system access has been disabled pending a security review.
“VA’s independent inspector general is investigating that issue, and in order to protect the integrity of the investigation, VA can’t comment further,” A VA spokeswoman told FedScoop in response to questions about the cost and identity of the attackers.