Attackers Target Pentagon Credit Union

An infected laptop was used to access the systems at the US Pentagon’s credit union, exposing the financial records of the members of the United States military, according to a Kaspersky Lab report.

The Pentagon Federal Credit Union notified the New Hampshire Attorney General of the breach, and said names, addresses, social security numbers, bank and credit card information of its members were compromised, said Paul Roberts, editor of Kaspersky Lab’s ThreatPost.com site. New Hampshire law requires that all companies report all breaches that involve its residents. Massachusetts has a similar law.

Full extent unknown

At this point, the full extent of the breach is not known, but so far 514 New Hampshire residents have been affected. It’s hard to determine the magnitude, based on just one state. As Roberts pointed out, a data breach of the tour company Twin America affected around 300 New Hampshire residents but 100,000 people nationally.

The credit union discovered on 12 December that someone had hacked a laptop on its network. Along with the personal information, the malware allowed attackers to see information relating to former members, joint account holders and beneficiaries. That vulnerability has been closed and steps have been taken to prevent a similar breach, according to Roberts.

“We have no indication that your information has been misused,” Roderick Mitchell, PenFed’s executive vice president of operations, wrote in a letter mailed to customers. No PINs or passwords were accessed, Mitchell wrote. Even so, PenFed has already re-issued all credit and debit cards to members whose account information was affected.

The Identity Theft Resource Center reported that data breaches in general rose 33 percent in 2010 from the previous year. A separate report from the Department of Defence found that identity theft targeting government employees and classified networks may be on the rise because it was a “low cost high gain” method to obtain sensitive or classified technology and information. Targeted “phishing email messages” were among the cyber-tools being used, the report said.

PenFed serves members in the Air Force, Army, Coast Guard, Department of Homeland Security, Department of Defense, and the Veterans of Foreign Wars. With about $15 billion (£9.4bn) in assets and nearly a million members, PenFed is not just for savings, as it offers mortgages and loans and issues its own credit cards.

This isn’t the first time PenFed has been targeted. The credit union posted an alert on its website notifying users that a person who was calling members to say their mortgages were being sold and requesting personal information was fraudulently masquerading as a PenFed underwriter.