A breach of a system hosted by the Defense Information Systems Agency, the Department of Defense’s primary IT support agency, affected “approximately 200,000” users after a malicious actor may have gained access to names and Social Security numbers, according to a Pentagon spokesman.
Chuck Prichard, a DoD spokesman, said there is “no evidence to suggest that any of the potentially compromised [personally identifiable information] was misused.” DISA is sending letters notifying potentially affected users, in line with agency policy.
He added that affected individuals “will subsequently receive additional correspondence with information about actions that can be taken to mitigate possible negative impacts.”
The news of the breach was first reported by Reuters.
Prichard said the breach was discovered during summer 2019. According to Reuters, which viewed a copy of the letter sent out to DISA officials, the breach occurred between May and July 2019.
Affected users will also receive free credit monitoring, Prichard said.
Prichard declined to specify what network was breached, only that it was hosted by DISA. He also declined to comment on how long the actor was in the network.
“DoD and DISA take the security of our people, information (or data) and operations very seriously and actively monitor potential threats," Prichard said. “For operational security reasons, the department does not comment on the actions taken to mitigate risks or vulnerabilities.”
He did add that “DISA ... conducted a thorough investigation of this incident and taken appropriate measures to secure the network.”
According to its website, DISA employs over 8,000 military and civilian employees. The agency’s mission includes protecting the Department of Defense Information Network, a global DoD network used for sharing and storing information. DISA runs a variety of other systems, including combat support, DoD enterprise email and other communication networks.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.