fbpx
Breaking News

Pentagon’s Defense Travel System breached

Spread the knowledge with a share:

Our good friends at Recon Secure Computing highlighted to us the recent breach of the U.S. Department of Defense’s (DOD), Defense Travel System, so we dug in to see what’s what.

It turns out that the Pentagon hasn’t being exactly forthcoming.

The NY Times reports that on 12 October the Pentagon acknowledged that there had been a breach, which had occurred months previously and that was only recently discovered. While over at Security Week, they were a bit more fulsome. They shared with us how Lt. Col. Joseph Buccino, a Pentagon spokesman, noted that the breach occurred within one of the many vendors which support the Defense Travel System and that the number of personnel (civilian and military) is limited to about 30,000. Furthermore, the identity of the company responsible has not been revealed (though we expect it will be known soon enough). The spokesman noted, that the vendor has been instructed to cease their activities.

“Hack the Defense Travel System” bug bounty program

Perhaps this breach was discovered as part of the bug bounty program which was conducted April 1 - April 29, 2018. More than 100 security vulnerabilities were found and hackers were awarded $80,000 for their finds. Of those 100, according to Information Security Buzz, the hackers reported 65 valid unique vulnerabilities, 28 of which were high or critical in severity. At a minimum this showed the Pentagon that their plan to update the Defense Travel System was coming none too soon, and that in the interim provided a roadmap to tightening up security for the program.

Defense Travel System changing hands

During our investigation what we did learn is that the Defense Travel System will be changing hands. The Defense Travel System which was created in 2001, will be replaced by a system built by SAP Concur, in partnership with Accenture Federal Services, Booz Allen Hamilton and CWTSato Travel will be building an end-to-end-travel-as-as-a-service capability. The Pentagon’s announcement of this contract occurred in August 2018, so those with suspicious minds within the investigatory element looking at this breach, must determine if it was purposeful sour grapes by the contractor’s workforce knowing that the writing was on the wall they were being replaced by the new SAP Concur system, or if it was something else.

Companies with Travel Programs

Companies with travel programs, should also make sure their travel security programs encompasses the infrastructure of the vendors who are being trusted with the PII and PCI information of their employees. Travel Security Programs are a part of the larger duty to care responsibility which each entity asking their employees to travel must shoulder.

Spread the knowledge with a share:

Tags

About Christopher Burgess

Christopher Burgess is a writer, speaker and commentator on global security issues. He has appeared on CNN, BBC, I24, China News, Bloomberg, CBS, NBC, and ABC providing commentary and analysis. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. He has lived and traveled abroad for more than 55 years. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century.” He is the founder of Securely Travel.
Privacy Statement and Affiliate Disclosures
© Securely Travel Copyright 2018-2021, All Rights Reserved
%d bloggers like this:

Please click to accept our use of Cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this. This cookie acceptance is for a period of 90 days.

Close