About 46,000 veterans' personal information was compromised when a Department of Veterans Affairs online system was hacked, officials said Monday -- one of the worst data breaches for VA in the last decade.
The compromised data may have included social security numbers.
Veterans who were affected by the breach should be contacted by letter, with instructions on how to protect their information. If veterans do not receive an alert by mail, then their data wasn't involved and they don't have to take any action, VA said.
Hackers broke into an online application for the VA Financial Services Center, intending to steal payments to VA-contracted community healthcare providers, the department said in a news release Monday. The center took that payment system offline and a "preliminary review indicates these unauthorized users gained access ... to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols."
VA officials said the system won't go back online until it's a comprehensive security review by the department's IT office is complete.
VA did not include details on what types of data were compromised, but said that it planned to offer free credit monitoring services "to those whose social security numbers may have been compromised."
At least some of the veterans involved in the breach may be dead, and VA officials said they will be notifying next-of-kin in those cases.
In the past 10 years, VA has had five other major data breaches in which more than 5,000 veterans’ data was compromised, according to documents obtained by Connecting Vets through Freedom of Information Act requests. The breaches have largely worsened over time including with the latest announced this week, though they remain a smaller percentage of the millions of records VA possesses.
More than 26 million veterans, troops and family members had their data compromised in 2006 after a VA worker's laptop was stolen.
Government watchdogs and advocates have repeatedly warned that information security is a major challenge at VA.
A VA Inspector General report released last year found that “veterans’ sensitive personal information was left unprotected” on two shared network drives accessible to veteran service organizations not connected to those veterans.
Investigators “determined that mishandling this sensitive personal information was a national issue” in part because VA staff “failed to discover and remove any sensitive personal information stored on shared network drives.”
“Without better protection, veterans and VA are at risk,” the report said. “Veterans are at significant risk of unauthorized disclosure and misuse of their sensitive personal information. This has the potential to expose veterans to fraud and identity theft.”
Veterans or family members who receive notification that their personal information was affected can reach out to the Financial Services Center help desk directly at VAFSCVeteransSupport@va.gov or by mail.
VA largely silent on measures to protect veterans' data. Here's who can access your records.
Information security is a 'major challenge' at VA, watchdogs tell Congress
VA to hold off on sharing medical records after veterans' lawsuit says it violated privacy
VA ‘inadequate’ in response to veterans targeted by foreign threats online, senators tell Wilkie
Foreign scammers are 'stealing veteran voices.' Congress wants answers from Twitter, Facebook