washingtonpost.com
Hacker breaches security at Pentagon Federal Credit Union

By Lisa Rein
Washington Post Staff Writer
Monday, January 17, 2011; 5:57 PM

Members of a credit union that serves active-duty military personnel and others connected to the Pentagon are at risk for identity theft after a laptop was hacked, exposing the personal and financial records of an undisclosed number of troops and their families.

The Pentagon Federal Credit Union, or PenFed, the Alexandria-based institution that serves the military and other government agencies, mailed a letter to customers in early January alerting them to the security breach, which was discovered Dec. 12. PenFed would not comment on how many customers were notified.

The attorney general's office in New Hampshire, however, disclosed that the names, addresses, Social Security numbers and credit and debit card numbers of 514 credit union customers were improperly accessed. New Hampshire is one of the few states that require companies to notify the attorney general of security breaches that affect its residents, and it makes the information public.

"We have no indication that your information has been misused," Roderick Mitchell, PenFed's executive vice president of operations, wrote to the affected customers. He said no passwords or PINs were accessed. The credit union has reissued all credit and debit cards to customers whose privacy was compromised. PenFed also offered them two years of free access to a credit-protection software program.

However, the full extent of the breach may not be known for years, security experts said. PenFed's letter does not say how many customers' account information was obtained illegally, and it is unclear whether the credit union has found the source of the attack.

PenFed serves almost one million members of the active-duty military, Department of Defense, Coast Guard, Department of Homeland Security and the Veterans of Foreign Wars. Its customers also include defense contractors. The credit union offers mortgages, loans, credit cards, home equity lines of credit and other financial services, often at lower rates than traditional banks. It has more than $15 billion in assets, according to its Web site.

PenFed is a private entity, and the Pentagon referred any questions about the security breach to the company.

PenFed spokeswoman Rhonda Barnat said the credit union would have no comment on the matter.

"I'm sure people in every state are affected," said Paul Roberts, editor of threatpost.com, a security news blog put out by Massachusetts-based Kaspersky Lab, ananti-virus software company.

Roberts, who first reported the security breach, noted that cyberattacks against credit unions are on the rise, in part because they have smaller budgets than big banks that have security experts on site. But while in one sense "this is a run-of-the-mill data breach of a bank," Roberts said, the attack raises other concerns because the victims are Pentagon employees, from janitors to admirals, who may have access to sensitive government information.

"It raises the specter of, is this a financially motivated crime or a national, state-sponsored attack where the motivation for the crime is more who these people are than what's in their bank account?" Roberts said.

Cybersecurity experts said a PenFed employee or contractor or a bank auditor could be responsible for the breach. An employee might have unwittingly made the laptop vulnerable to attack: Laptops can be easy targets for hackers because they're portable and used by many people on multiple computer servers.

"The kids might play on it and that could compromise it, or it might not be updated with security patches," said Ondrej Krehel, an information security officer with Identity Theft 911, a firm that advises businesses on protecting themselves from data breaches.

"We're in a new era of portable and mobile devices," Krehel said, "where all these users who travel have computers that are not reviewed at the same level of security as a desktop."

Post a Comment


Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.

© 2011 The Washington Post Company