DoD’s Defense Travel System Hacked, Employee Credit Card Info Stolen

Cybersecurity hacker

If a camel is a horse designed by a committee, the Defense Travel System (DTS) is an ugly, unwieldy, nasty, spitting camel.

The Department of Defense implemented the DTS to automate the process of booking, approving, and paying for travel of DoD personnel. It replaces the old paper travel voucher system that served the Pentagon for decades. Perhaps most famously, astronaut Buzz Aldrin filed one after his trip to the moon in 1969.

The Government and Websites: A History

The U.S. government doesn’t have the best track record when it comes to deploying web sites. No one who is familiar with the process of developing a site for the government was surprised in the slightest when the rollout of the Obamacare website went so poorly in 2013. The process is often haphazard, beginning with poorly-defined requirements, followed by requests for technologically difficult features (without an increase in contract award) and months of “I don’t know what right looks like, but I know that’s not it.”

A Government Accountability Office (GAO) report said that the process proceeded “without effective planning or oversight practices, despite facing a number of challenges that increased both the level of risk and the need for effective oversight.” If only that were a unique situation.

So no one should be surprised that the DTS, which every service member must use to book official travel to schools, conferences, and other training away from their home station, is such a mess. Imagine if commercial web sites like Travelocity or Expedia required hours of training to book a flight, rental car, and hotel room, and then crashed when you tried to get approval from your boss for the trip. That would be DTS.

It’s so bad that Deputy Secretary of Defense Patrick Shanahan, in one of his recent monthly email blasts to Pentagon employees, announced that he’s working on replacing it. Absolutely no one will miss it, even the people who created it.

And When Defense Travel System Couldn’t Get Any Worse…It Got Hacked

So it should also come as no surprise that the travel records and credit card information of as many as 30,000 military members and government civilian employees were recently stolen in a data breach at one of the vendors who run DTS.

“It’s important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population,” Army Lt. Col. Joseph Buccino told Military Times. While that certainly puts the hack in perspective (as in, it’s not like we let them have 21.5 Million security clearance applications), it also demonstrates just how slow the Pentagon can be to adapt.

Hackerone is a “white hat” platform where computer hackers work to discover vulnerabilities before criminal hackers can use them to steal data or cause damage. Those discovering these vulnerabilities are paid a bounty. “Hack the Pentagon” is a DoD-sponsored program on Hackerone’s platform that has uncovered thousands of weaknesses in DoD web sites and computer systems. And just this past April, the program featured a 29-day “Hack the DTS” project that resulted in more than 100 reports of vulnerabilities.

According to a press release, the 19 “trusted hackers” uncovered “65 valid unique vulnerabilities, 28 of which were high or critical in severity.” The program paid nearly $80,000 in bounties for the information.

Jack Messer, project lead at Defense Manpower Data Center said in the release that, “DTS is relied on by DoD travelers. More than 9,500 sites operate worldwide, and the security of these systems is mission-critical.” And yet despite the mission-critical nature of the platform, the DoD still can’t secure it, even after being shown the vulnerabilities.

Shanahan ought to be demanding to know just what the Defense Travel Management Office did with the information. It’s bad enough the thing is nearly impossible to navigate. Users shouldn’t have to worry about theft of their data on top of that. If the most recent hack was the result of a vulnerability that was uncovered in April, or introduced in an attempt to fix one of those vulnerabilities, then a head or two should roll… along with the entire DTS.

Tom McCuin is a strategic communication consultant and retired Army Reserve Civil Affairs and Public Affairs officer whose career includes serving with the Malaysian Battle Group in Bosnia, two tours in Afghanistan, and three years in the Office of the Chief of Public Affairs in the Pentagon. When he’s not devouring political news, he enjoys sailboat racing and umpiring Little League games (except the ones his son plays in) in Alexandria, Va. Follow him on Twitter at @tommccuin

More in Cybersecurity