Cyber Incident Victim: Department of Veterans Affairs
Date:
Sep 2020
Location:
United States of America
Summary
The US Department of Veterans Affairs experienced a security breach when unauthorized actors exploited social engineering techniques and authentication protocol weaknesses to access a Financial Services Center application, potentially compromising personal information—including Social Security numbers—of approximately 46,000 veterans. Attackers diverted healthcare provider payments intended for veterans' medical treatment, prompting the department to deactivate the compromised system pending a security review and offer affected individuals credit monitoring services. This incident marked the second major breach in the organization's history following a prior data exposure involving physical device theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 14, 2020, the US Department of Veterans Affairs (VA) disclosed a security breach impacting approximately 46,000 veterans. Unauthorized individuals gained access to an online application managed by the VA Financial Services Center (FSC) using social engineering techniques and by exploiting the system's authentication protocols. The attackers manipulated the compromised application to divert VA payments intended for healthcare providers who delivered medical services to veterans. While the primary focus of the intrusion involved financial fraud through payment redirection, investigators determined that the perpetrators potentially accessed sensitive veteran records during the incident. This data exposure risk included Social Security numbers belonging to affected individuals.
The VA took immediate action by shutting down the compromised FSC application following the breach discovery, stating it would remain offline pending a comprehensive security review. The department initiated notifications to all impacted veterans, including next-of-kin for deceased individuals, regarding the potential compromise of their personal information. Affected parties received offers for complimentary credit monitoring services, particularly those whose Social Security numbers were exposed. This incident marked the second major data breach publicly acknowledged by the VA, following a 2006 incident where unencrypted personal records of 26 million veterans were stolen from an employee's residence via laptop and external hard drive theft. The earlier breach had drawn criticism from the Inspector General for the VA's delayed response and insufficient urgency in addressing the data loss.