Hackers attempted to redirect payments for veterans’ medical care by infiltrating an online system belonging to the Financial Services Center (FSC) at the Department of Veterans Affairs (VA), in a cyber break-in that hit some 46,000 veterans, the agency said.
The data breach, which the FSC reported on September 14, 2020, compromised sensitive personal information, including the social security numbers of the affected veterans, the Center said. The addled application has been taken offline and access to the system will not be restored until the VA Office of Information Technology reviews the incident, officials said.
According to the VA, the hackers gained access to an online application that enabled them to change financial information and divert payments using social engineering techniques and exploiting authentication protocols. While the VA didn’t specify the mechanics of the cyber burglary, the likelihood is it involved some type of phishing or malicious link.
The VA hasn’t released financial details of the breach, including how it was discovered and how much money earmarked for health care service providers was scammed. The agency said it is notifying those affected by the breach of the potential risk to their personal information. For people whose social security numbers have been stolen, the VA is offering free credit monitoring services.
The VA, through the Veterans Health Administration, provides medical care to some 20 million beneficiaries.
The FSC hack preceded by a few days the release of a Government Accountability Office (GAO) report, entitled VA Needs to Address Persistent IT Modernization and Cybersecurity Challenges, on the VA’s progress to modernize its IT and cybersecurity systems.
In a statement to the House Subcommittee on Economic Opportunity and Technology Modernization, Committee on Veterans’ Affairs, on September 16, Carol Harris, the GAO director of Information Technology Management Issues, said that until the VA “rectifies reported shortcomings” in its security program it will “continue to have limited assurance” that its sensitive information is sufficiently locked down.
A “lack of key cybersecurity management elements at VA is concerning given that agencies’ systems are increasingly susceptible to the multitude of cyber-related threats that exist,” the GAO report said. “As VA continues to pursue modernization efforts, it is critical that the department take steps to adequately secure its systems.”