The following article discusses the final outcome of the largest Department of the Navy (DON) personally identifiable information (PII) breach to date. Incidents such as this will be reported in each edition of CHIPS to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information (DON CIO) Privacy Office.
The Incident
The breach occurred during the summer of 2012 when an enlisted systems administrator stationed on board an aircraft carrier hacked into a Navy information technology (IT) system. The hacking incident resulted in the public release of a significant number of personal records. The Sailor was a member of a hacking organization. The breach was discovered when the organization posted the personal information on its social media account.
The Naval Criminal Investigative Service (NCIS) began investigating the incident. A year later, the Sailor was caught in a NCIS sting operation while attempting to hack into a restricted network.
Actions Taken
Both the Sailor and his co-defendant received two-year prison sentences in October 2014. They were also linked to cyber-attacks on more than 50 other public and private networks.
All personnel impacted by the breach received written notification letters per DON policy.
Lessons Learned
Supervisors must remain vigilant, observing and overseeing their employees when they have access to sensitive information such as PII, noting and reporting any suspicious behavior.
Commands should utilize available tools and logs to monitor suspicious activity and the unauthorized access and use of personal information contained in DON IT systems.
Leadership must ensure all assigned personnel complete mandatory annual privacy awareness and information assurance training.
In an August 14, 2014, memorandum titled “Unauthorized Disclosures of Classified Information or Controlled Unclassified Information on DoD Information Systems,” the Deputy Secretary of Defense directed that senior leaders, commanders, and supervisors ensure that safeguards are implemented through appropriate training, accountability, and leadership involvement in these matters. The memo states to DoD leadership that: “Your personal engagement is essential to foster a culture of increased diligence in safeguarding our classified information and CUI.”
As a final note, the U.S. Attorney involved in the case stated, “Computer hacking presents a significant risk to national security. As a service member in the United States Navy, the defendant knowingly breached his oath of enlistment and became an insider threat. We will continue to work with our law enforcement partners to find cyber-criminals and prosecute them to the full extent of the law."
Additional privacy resources, including the above memo, can be found on the DON CIO website at www.doncio.navy.mil/privacy.
Steve Daughety is the privacy lead for the Department of the Navy Chief Information Officer.