Hackers Steal 13,000 Credit Card Numbers
Navy Says No Fraud Has Been Noticed
By Anitha Reddy
Washington Post Staff Writer
Saturday, August 23, 2003; Page E01
The Navy has canceled 13,000 credit cards used for government expenses after discovering that hackers had downloaded card numbers and billing records, Defense Department officials said.
Citibank, the card issuer, has found no unusual activity in the card accounts since the hacking began in July and no fraud related to the incident had been reported as of Thursday, according to a Defense Department official.
Officials and investigative teams from the Navy and Department of Defense are still trying to figure out what vulnerabilities the hackers exploited and how to prevent such attacks in the future.
"You'd think that the military would have some of the best systems in place," said Doug Howard, vice president of strategy and product development for Counterpane Internet Security Inc. "But often you'll find that the administrative networks are segmented from the core of the Department of Defense and that maybe they don't provide as much as security as some of the core networks."
Citibank finished mailing new cards Wednesday to replace the 13,000 that were compromised, said Glenn Flood, a Defense Department spokesman. More than half of the new cards have already been activated.
To reduce the chance of any unauthorized charges being made, the Navy is also beginning a gradual replacement of 9,000 other cards in the program that do not appear to have been compromised. Most of the cards have a $2,500 spending limit.
Federal Computer News reported the hacker attack and cancellation of the cards on Thursday.
The Navy discovered the breach on July 30, when a logistics center at Wright-Patterson Air Force Base in Dayton, Ohio, detected an unusual amount of traffic on one of its servers, a Defense Department official said.
The heightened activity included invoices from Citibank credit cards in the Navy's purchase card program, which managers use to order routine office supplies, such as telephones, copy paper or catered meals.
Hackers began probing the site as early as July 10, investigators determined, but they did not begin downloading the invoices, which contained card numbers, until July 24.
Two groups from the Defense Department, a criminal investigative unit and a team from the department's accounting division are studying how the attack was launched.
Howard, the security expert, noted that while banks often scramble credit card numbers for electronic transmission, the numbers often reside in a plainly readable form on a customer's network.
The Navy has been reviewing emergency purchase requests on a case-by-case basis while the cards are suspended, according to a statement from the Defense Department's purchase card management office.
The Navy, the Defense Department's inspector general, the Defense Department's Purchase Card Program Management Office, and other agencies are meeting to review the cause of the intrusion and study how to prevent such security failures in the future, a Defense official said.
TechNews.com Home
? 2003 The Washington Post Company
http://www.washingtonpost.com/wp-dyn...2003Aug22.html
Sempers,
Roger