Tens of thousands of US veterans have had their personal information illegally accessed in a data breach incident announced on Monday.
The US Department of Veterans Affairs (VA) Office of Management revealed that 46,000 veterans had been affected by the incident.
“The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the medical treatment of veterans. The FSC took the application offline and reported the breach to VA’s Privacy Office,” it continued.
“A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols.”
The VA Office of IT is conducting a comprehensive security review before system access is allowed again, it added.
To protect these veterans, the FSC is alerting the affected individuals, including the next-of-kin of those who are deceased, of the potential risk to their personal information,” the statement concluded.
“The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised.”
Thomas Richards, principal security consultant at Synopsys, argued that social engineering is a common tactic to gain unauthorized access to applications and systems.
“If, for business reasons, these applications must be public facing they should be secured with multi-factor authentication to prevent any compromised credentials from being used,” he added. “Organizations should also conduct regular assessments against their staff to raise awareness around social engineering threats, thus reducing the chance of a successful attack."
Back in September last year, security researchers discovered a spoofed VA recruitment site crafted to deploy spyware on visitors’ computers.