Share this article on:
The U.S. Department of Veteran Affairs (VA) has experienced a data breach involving the personal information of around 46,000 veterans.
Hackers gained access to an online application used by the VA Financial Services Center (FSC) and attempted to divert payments sent by the VA to community care providers to pay for veterans’ medical care. Social engineering tactics were used, and authentication protocols were exploited to gain access to the application and change bank account information.
Upon discovery of the breach, the FSC took the payment processing application offline to prevent any further payments from being sent. It is unclear how many payments were sent before the cyberattack was discovered and whether the attack was detected in time to block fraudulent transfers. The FSC said the breached payment processing application will remain offline until the Office of Information Technology has performed a comprehensive security review.
The main purpose of the cyberattack appears to have been to divert payments; however, the personally identifiable information and Social Security numbers of around 46,000 veterans were stolen in the attack and could potentially be used for fraudulent purposes.
All veterans whose information was potentially compromised in the attack have now been notified by mail and have been offered complimentary credit monitoring services. They have also ben provided with information on the steps they can take to protect against fraudulent use of their information.
The VA is currently undergoing a major update of its financial services system; however, there have been several delays and the project is not expected to be completed until 2030. The FTC recently issued a request for information seeking cybersecurity audit services. The cybersecurity audit is intended to address compliance, strategy, and sustainment, and as part of the audit, the contractor is required to “provide a gap analysis on which cybersecurity tools, processes, and controls the government should employ and provide recommendations of methods to improve visibility as well as incident response time following VA best practices.”