The US Department of Veterans Affairs (VA) Financial Services Center (FSC) has written to 46,000 veterans. It is warning them that their names and social security numbers have been stolen through a data breach. The breach occurred in an online application that provides payments statuses to VA community healthcare providers. The VA admitted that the attackers were able to divert payments but, so far, has provided little detail on what was stolen.
All the affected veterans have been offered access to free credit monitoring services for one year. The VA has also said: “Veterans or next-of-kin who receive notification their information is potentially at risk from this incident can send questions to VAFSCVeteransSupport@va.gov or write to VA FSC Help Desk, Attn: Customer Engagement Center, PO Box 149971, Austin, TX 78714-9971.”
How did this happen, and what is the VA doing about it?
In its official statement, the VA states: “A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols.”
This appears to have been a phishing attack against individual members of staff to steal user credentials. What is not clear is the phrase “exploiting authentication protocols.” Is this simply another way of saying the attackers stole user credentials? Was there multi-factor authentication and was that compromised by the attackers?
Answers to these questions will have to wait until the investigation by the VA Office of Information Technology is complete. For now, system access is suspended, and the VA says it will not be re-enabled until that investigation is complete.
Enterprise Times: What does this mean?
This is not the first, nor will it be the last, data breach at the VA. The information that it holds is valuable to nation-state attackers. It also has an annual budget of over US$240 billion, making it a lucrative target for attackers. It will be interesting to see just how much money was diverted as a result of this latest attack.
For many US veterans, this is just another breach in a long line of breaches. The VA and the outside agencies that it uses, from healthcare to law firms, seem unable to keep data safe. In the past, breaches have been blamed on old, insecure and complicated IT systems. This time it is social engineering that is getting the blame.
The question that many US veterans want to be answered is, why does this keep happening?