Security must extend to affiliated entities to ensure protection of sensitive data.
The Navy recently revealed personal data belonging to 134,386 current and former sailors had been compromised. While the details are still unclear, the Navy is reporting a laptop computer belonging to a Navy contractor was the source of the data breach. The Navy said it was notified of the breach by Hewlett Packard Enterprise Services. The breach is believed to have affected only social security numbers and names.
“The Navy takes this incident extremely seriously,” said Chief of Naval Personnel Vice Adm. Robert Burke. “This is a matter of trust for our Sailors. We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach.”
In an emailed statement, Thomas Wat Brandt, a spokesman for Hewlett Packard Enterprise, told ABC News, “The security and privacy of our clients is a top priority for Hewlett Packard Enterprise (HPE). This event has been reported to the Navy and because this is an ongoing investigation, HPE will not be commenting further out of respect for the privacy of our Navy personnel.”
While the source of the attack remains unclear and investigators have not determined if it was attacked through a weak firewall or if the laptop itself was unencrypted and hacked, this latest breach demonstrates the increased demand for third party protection when relying on subcontractors to keep information safe.
And since the U.S. military is increasingly depending on contractors, the issue of cybersecurity at all levels — including contractors — is becoming crucial for the military’s defense. Increasingly, the Pentagon, intelligence community, and military branches have outsourced IT solutions for email, electronic health records, and infrastructure to contractors and MSPs. Those moves typically have a large impact on existing workforce, freeing up federal IT personnel to perform other duties, but they also highlight the dangers of opening systems up to hackers.
Frank Konieczny, chief technology officer for the Air Force, explained that, faced with an IT workforce shortage, it makes more sense to outsource the work to industry entities than to continue training a revolving door of airmen. “We don’t want to manage anything that’s IT, so we are pushing everything out to other vendors, commercial vendors, even for our own bases,” Konieczny said. “We’re going to outsource all that capacity and data centers at the base level as well. We do not have enough airmen to actually do the jobs, so we’d rather buy the expertise from several contractors as opposed to training people. That’s not their mission in life.”
“This clearly shows how intricate the IT security landscape has become,” Ebba Blitz, CEO of encryption company Alertsec, told Business Solutions Magazine in an email. “We not only need to protect our own IT, we also need to protect entities affiliated with us. Any third party that has access to sensitive data is posing a threat to an organization. This data must be protected.”