The United States Department of Veteran Affairs (VA) recently experienced a data breach resulting in the unauthorized access of the info of around 46,000 veterans, the agency posted on its website. The VA was able to take immediate action upon learning about the incident.
The veterans’ data was accessed through one of the Financial Services Center’s (FSC) online applications. This is to “divert payments to community health care providers for the medical treatment of Veterans.”
According to the department’s news release, “A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA.”
Moreover, the malicious party used social engineering tools and exploited authentication protocols. Synopsys principal security consultant Thomas Richards asserted that social engineering “is a common tactic to gain unauthorized access to applications and systems.”
Richards suggested that front-facing applications should always be equipped with multi-factor authentication. Moreover, he highly recommends doing regular assessments and education sessions for staff to make them aware of such threats.
This way, the agency can minimize the chance of a successful cyberattack. InfoSecurity noted that the VA Office of Information Technology is performing a comprehensive security investigation.
The application in question was taken offline and was reported to the VA’s Privacy Office. The news released also said that “system access will not be re-enabled until a comprehensive security review is completed by the VA Office of Information Technology.”
These measures were taken to avoid any illegal access to and modification of vets’ information in the future. The FSC is also in the process of notifying individuals whose data were compromised, including the deceased’s next-of-kin.
Veterans who received such alert via mail are urged to follow the instructions by the VA to secure their info. They are also encouraged to get in touch with the FSC Customer Help Desk through mail or email.
As a way to address the issue, the department provides free credit monitoring services, especially those whose social security numbers may have been disclosed.
The agency reminded veterans that those who did not receive any notification about this incident do not need to take action because their data was not compromised.
InfoSecurity remarked that this is not the first time the VA has experienced an attack. In September 2019, some security researchers found a spoofed VA recruitment website that injected spyware into visitor’s devices.