According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.
The official, who spoke on condition of anonymity because the breach is under investigation, said that no classified information was compromised.
According to a Pentagon statement, a department cyber team informed leaders about the breach on Oct. 4. Lt. Col. Joseph Buccino, a Pentagon spokesman, said the department is still gathering information on the size and scope of the hack and who did it.
“It’s important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel, said Buccino. The vendor was not identified and additional details about the breach were not available.
“The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” said the statement, adding that affected individuals will be informed in the coming days and fraud protection services will be provided to them.
Buccino said that due to security reasons, the department is not identifying the vendor. He said the vendor is still under contract, but the department “has taken steps to have the vendor cease performance under its contracts.”
Disclosure of the breach comes on the heels of a federal report released Tuesday that concluded that military weapons programs are vulnerable to cyberattacks and the Pentagon has been slow to protect the systems. And it mirrors a number of other breaches that have hit federal government agencies in recent years, exposing health data, personal information, and social security numbers.
The U.S. Government Accountability Office in its Tuesday report said the Pentagon has worked to ensure its networks are secure, but only recently began to focus more on its weapons systems security. The audit, conducted between September 2017 and October 2018, found that there are “mounting challenges in protecting its weapons systems from increasingly sophisticated cyber threats.”
In 2015, a massive hack of the federal Office of Personnel Management, widely blamed on China’s government, compromised personal information of more than 21 million current, former and prospective federal employees, including those in the Pentagon. It also likely occurred months before it was discovered and made public, and it eventually led to the resignation of the OPM director.
Also that year, hackers breached into the email system used by the Joint Chiefs of Staff, affecting several thousand military and civilian workers.
The Defense Department has consistently said that its networks and systems are probed and attacked thousands of times a day.