The U.S. Department of Veteran Affairs (VA) has encountered a data breach that affected the personal data of about 46,000 veterans.
Hackers obtained access to a web application that the VA Financial Services Center (FSC) used and tried to reroute payments made to community care providers for the veterans’ health care. The attackers used social engineering tactics and exploited authentication protocols to get access to the application and alter bank account details.
When FSC discovered the breach, the payment processing program was taken offline to stop sending any further payments. It is not clear how many payments had been sent prior to the discovery of the cyberattack. It is also not clear if the attack was discovered just in time to stop the fraudulent transfers. The FSC stated the breached payment processing program will continue to be offline until the comprehensive security review of the Office of Information Technology is done.
The primary reason for the cyberattack seems to be the re-routing of payments; nevertheless, the attackers stole the personally identifiable information and Social Security numbers of approximately 46,000 veterans and may use the information for fraudulent activities.
FSC already notified by mail all veterans who had their information potentially exposed in the attack and offered them free credit monitoring services. The veterans also received instructions on what they need to do to monitor and take action against fraudulent use of their data.
The VA’s financial services system is presently having a big update. There were a number of delays, therefore, the undertaking will probably not be complete until 2030. The FTC just released a request for information in search of cybersecurity audit services. The cybersecurity audit is meant to deal with compliance, technique, and sustainment. The audit contractor needs to present a gap analysis on the cybersecurity solutions, processes and controls that the government must use and give recommendations regarding methods to enhance visibility and incident response time that adhere to VA’s best practices.