author photo
By Bruce Sussman
Tue | Sep 15, 2020 | 4:45 AM PDT

Many served the United States on land. Others while stationed at sea. And some defended the U.S. by air.

But hackers and cybercriminals don't care about any of that.

Now, the Department of Veteran's Affairs (VA) is sending breach notification letters to tens of thousands of veterans impacted by a recent data breach.

What do we know about the VA data breach against veterans?

According to the VA's public Notice of Compromised Personal Information, this cyber attack targeted one of the VA's online applications. And the purpose of the attack was to redirect and steal money that was meant to pay for veteran care at the VA.

Here is how cybercriminals carried out the attack:

"A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols.

To prevent any future improper access to and modification of information, system access will not be re-enabled until a comprehensive security review is completed by the VA Office of Information Technology."

How large was the VA data breach?

On the bright side, this breach impacted only 46,000 veterans.

However, the fact this is viewed as a small government data breach is a sign of trouble, according to Tim Wade, who is Technical Director of the CTO Group at Vectra:

"Given that the loss of records safeguarded by the federal government has been in batches of hundreds of thousands, or even millions in recent memory, it is probably a relief to someone somewhere that this breach accounts for less than fifty thousand. 

That we're framing this loss in that context just further underscores the need for federal systems to rapidly modernize IT security capabilities. Leadership at the top must take accountability, and cultural changes must occur, if we are to expect these patterns to abate."

What kind of personal data was stolen in the VA data breach?

The VA did not specifically list all types of personally identifiable information (PII) veterans lost during the data breach, except to say some had their Social Security numbers compromised.

And this is where we get to the really heartbreaking part.

Some of the veterans impacted in this data breach are no longer living. Now deceased veterans or even their families may be at risk.

"To protect these Veterans, the Financial Services Center (FSC ) is alerting the affected individuals, including the next-of-kin of those who are deceased, of the potential risk to their personal information."

How do I know if I am part of the VA data breach?

If you are a military veteran, thank you for your service.

And if you are now wondering whether your information is part of this recent VA data breach, keep an eye out for a physical letter from the VA.

"Veterans whose information was involved are advised to follow the instructions in the letter to protect their data. There is no action needed from Veterans if they did not receive an alert by mail, as their personal information was not involved in the incident."

If you do not receive a letter, then you should be in the clear—this time.

Read it for yourself: VA Data Compromise Public Notice

Comments