Army Databreach is Just Tip of Iceberg

An Army database housing personally identifiable information was discovered to have been breached some time ago.

Army says hacker got 30K Fort Monmouth personal infos: names, birth dates, SSNs, addresses and salariessfgate.com/news/article/A…

— Chris Wysopal (@WeldPond) December 28, 2012

From SFGate here:

Computer hackers have illegally gained access to personal information of more than 30,000 people connected to Army commands formerly based at Fort Monmouth.
An Army spokeswoman says the information includes names, birth dates, Social Security numbers, addresses and salaries. The breach was discovered this month.

The Army says the databases that were breached contained information taken from former Fort Monmouth visitor logs as well as CECOM personnel files.

DoD systems that contain PII are actually breached with some regularity. When I was peeking at their backbone during one engagement, I watched hackers play “King of the Hill” on a database that was used to log respirator fit tests for soldiers. The DB was located at Fort Knox. One hacker group would walk in, smash and grab data, then another group would kick out the fist group, and harvest their own data as well. The problem is that the military can’t enforce common-sense access control lists, and they also have a problem encrypting their communications.