Cyber Incident Victim: United States Department of Defense

On October 13, 2018, the Pentagon disclosed a breach involving payment card and personal information belonging to approximately 30,000 Department of Defense (DOD) civilian and military personnel. The compromise was detected on October 4, 2018, during an ongoing investigation that prevented the immediate release of specific details. Attackers gained access by compromising a third-party contractor, exploiting the vendor’s authorized network access to exfiltrate travel-related data. The DOD withheld the contractor’s identity due to the active nature of the inquiry but confirmed the theft included both financial and personally identifiable information. Officials anticipated the number of affected individuals would increase as forensic analysis progressed.

In response, the DOD directed the contractor to halt all work under existing agreements while maintaining the contractual relationship pending further review. The department initiated a risk assessment to evaluate potential harm to personnel and committed to notifying all verified victims. This incident coincided with a Government Accountability Office report highlighting systemic cybersecurity vulnerabilities in the Pentagon’s next-generation weapons systems, though no direct link was established between the two events. The breach underscored third-party risks within defense supply chains and operational reliance on external vendors. No additional technical specifics regarding the attack vector, duration of unauthorized access, or data retention policies were disclosed publicly during the initial phase of the investigation.