James Steidl - Fotolia

US Navy breach highlights third-party cyber risk

The personal details of more than 130,000 current and former US Navy personnel have been exposed in a breach linked to the compromise of third-party supplier’s laptop

A data breach at the US Navy linked to the compromise of a laptop belonging to an employee of Hewlett Packard Enterprise (HPE) has highlighted the cyber risk of contractors.

Despite a growing list of cyber breaches that involve the exploitation of security weaknesses in suppliers to organisations targeted, security experts say security within supply chains is still widely overlooked.

The US Navy said an investigation revealed that the social security numbers and names of 134,386 current and former sailors had been accessed by “unknown individuals”.

The investigation was carried out after HPE notified the Navy on 27 October 2016 that a laptop belonging to an employee supporting a Navy contract had been compromised.

The US Navy did not say whether the laptop had been hacked or simply lost and subsequently used to access its IT systems.

“The Navy takes this incident extremely seriously. This is a matter of trust for our sailors,” said chief of naval personnel vice-admiral Robert Burke.

“We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach,” he said in a statement.

The US Navy said those affected by the breach would be notified by phone, letter and email, and that it is working to provide further details on what happened.

The US Navy also said it is “reviewing credit-monitoring service options” for affected sailors but, at this stage of the investigation, there is “no evidence to suggest misuse of the information” that was compromised.

“We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach”
Robert Burke, US Navy

“The security and privacy of our clients is a top priority for HPE,” the company said in a statement.

“This event has been reported to the Navy and because this is an ongoing investigation, HPE will not be commenting further out of respect for the privacy of Navy personnel.”

The breach shows that IT departments are under increasing pressure to support untrusted and unmanaged endpoints of their external partners to allow access to their internal systems and data, said Jon Fielding, managing director for Europe at hardware-encrypted USB drive maker Apricorn.

“Most will deem direct access too risky, for reasons evidenced by the US Navy breach, and block access altogether,” he said.

One costly alternative is to equip the third party with their own hardware and trusted image for the duration of the need for access.

Another option is to provide limited access through remote desktop browser plug-ins, but Fielding said this can be “user unfriendly”, and requires the user to be online all of the time.

Read more about supply chain security

Apricorn is among the suppliers offering a third option of deploying the organisation’s trusted and secure image to a USB stick for the third party to boot into from their own hardware.

“In the case of the US Navy, it could have ensured the HPE employee’s local C: drive was offline, and turn previously unknown and unmanaged hardware into a trusted and managed endpoint with all the controls and standard security protocols of an IT-issued machine,” said Fielding. “This would protect their data, and the USB stick could be hardware encrypted for further protection.”

Supplier security linked to past data breaches

Several high-profile data breaches in the past few years have been linked to failings in the security of suppliers to targeted organisations.

These include the malware-laced phishing emails sent to an air-conditioning supplier to US retailer Target in 2013, and contractor PA Consulting losing the details of 84,000 prisoners on an unencrypted memory stick in 2008.

The theft of credit and debit card data at 330 stores owned by Goodwill Industries International across 19 US states between February 2013 and August 2014 was linked to malware on the IT systems of a third-party supplier.

Also in 2014, US retailer Home Depot said it had traced the world’s second-largest theft of credit card details from its systems back to a supplier’s compromised username and password.

In June 2011, security giant RSA acknowledged for the first time that intruders had launched a cyber attack at Lockheed Martin using data stolen from the company.

And in July 2016, Wendy’s fast-food chain revealed that cyber attackers used compromised third-party credentials to install malware at 20% of its US stores to steal customer credit card details. 

Read more on IT risk management