This just in the US Navy has been breached. The attackers stole 134,386 records of current and former US Navy personnel including Social Security Numbers. There are several items of note in this recent cyber security attack. Not the least of which is this is supposed to be a security-based organization. They have their own intelligence service and their own criminal investigative service. In addition to a very large multi-million dollar in-house IT operation. But they still managed to be breached. The further details of the story that an IT subcontractor was actually the source of weakness that allowed the breach. It was a Hewlett Packard subcontractor working for the Navy whose laptop was the compromised.
Too Little Too Late
Also, the breach was actually discovered by Hewlett Packard on October 27, but nothing was announced until November 22nd. Almost a month after the breach was discovered. It this was merely internal information or US Navy data it would be understandable to not notify people until later. But this was affecting over 100,000 Navy personnel. This was simply too little too late. And it still begs the question. How long before the October 27 announcement, did the breach actually occur? How long from the time of the actual breach until the breach was actually discovered by HP? Even earlier in the time line one has to wonder how long ago was the first attack initiated? This is the critical time from the initial attack to the actual security breach when the attack could have been thwarted and security breach prevented. Studies have shown that the average breach occurs over 4 months before the victim discovers it happened.
Yes, size matters but not in bigger is better. The US Navy is a huge organization with a massive IT and security presence and considerable police power. Hewlett Packard is one of the largest IT vendors in the world. And none of this helped them. The simplest of security protections could have helped, such as proper security procedures around contractor access and contractor procedures for handling of data. Also, contractors having access to client data, with removable devices such as laptops. I don’t know the details but these safeguards should be spelled out and drilled into anyone dealing with contractors. At the end of the day, it’s the Navy’s data and they are responsible for keeping it secure from the bad guys and their own contractors. These are the types of breaches that are certainly avoidable. We will learn more in the days to come. But so far this breach seems to have been very preventable.