November 22 the Navy issued a statement revealing that 134,386 sailors had their personal identifying information (PII) compromised. A laptop used by a Hewlett Packard Enterprise Services (HPES) employee was reported compromised. In other words, the Navy has a data breach on their hands.
While no details were provided concerning which contract HPES was supporting, the Navy Times reports the PII was gleaned from the HPES supported “Career Waypoints database, known as C-WAY, which sailors use to submit re-enlistment and Navy Occupational Specialty requests.”
The information accessed by “unknown individuals” included sensitive PII, including current and former sailors’ Social Security numbers.
Chief of Naval Personnel Vice Adm. Robert Burke advises, “The Navy takes this incident extremely seriously- this is a matter of trust for our Sailors. We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach.”
Those affected will be contacted in the coming weeks by phone, letter and email. The statement optimistically observes, “At this stage of the investigation, there is no evidence to suggest misuse of the information that was compromised.”
Protecting Data
The Federal CISO recently called out the need for all within government, which would include the Navy to “Do the right thing, the right way.” He went on to note, “Many cyber incidents and data breaches could be prevented if we all implemented best practices and practiced proper cyber hygiene.” What we know is that a contractor’s laptop was compromised. We have not yet been told the nature of the compromise of the laptop. The operational rationale for having the PII on 134,386 sailors on a laptop by the contractor remains unknown.
Not the First Time
The Navy Times writes that in 2013 Iran was believed to have penetrated the unclassified Navy and Marine Corps Intranet. The cleanup of that debacle reportedly took over four months to complete. A closer investigation, detailed by the Wall Street Journal in March 2014, revealed that the wording of the contract between the Navy and Hewlett Packard was a bit sloppy and thus the contractor took the path of no action, and did not provide security for the unclassified databases . The Navy ultimately noted the breach was enabled by a contract failure, as the specific databases compromised were not identified in the contract. The Navy accepted ultimate responsibility, as there were no provisions within the contract to maintain the security of the databases, thus no one was charged with maintaining the security.
The Impact and Cost
The impact and cost of this data breach will be significant. According to industry standards, the averaged cost per record of a data breach is $158 per each. The cleanup of this breach will cost the Navy, the contractor and their cybersecurity insurers approximately $20 million. The impact on those whose PII has been compromised is greater, and hard to measure.
They will all want to put a freeze on their credit with the various credit reporting agencies. Daily checks of their credit and financial instruments. Review of all of their online engagements, as depending upon the means to verify identity used by these entities, the compromised PII may be sufficient to social engineer their way into their accounts. The time spent by these individuals is essentially an individual tax paid by the lack of cybersecurity.
