Hackers attempting to steal money the Veterans Affairs Department was sending to private sector health care providers also scooped up the personal information of some 46,000 veterans.
According to an announcement put out Monday by VA, the department detected a breach of a payment processing system managed by the Financial Services Center after perpetrators were able to use social engineering to trick users into giving up their secure access information. The hackers were then able to use those credentials to gain access to the system and “divert payments to community health care providers,” i.e. private sector, non-VA medical facilities.
After discovering the compromise, “The FSC took the application offline and reported the breach to VA’s Privacy Office,” the statement reads. VA officials said the affected system will remain offline until the Office of Information Technology can perform “a comprehensive security review.”
While the hackers’ primary goal seems to be monetary, the Social Security numbers and other personally identifiable information for some 46,000 veterans was exposed in the process.
VA officials did not immediately respond Monday to a list of questions from Nextgov.
VA has sent letters to all of those affected by the breach, with instructions on how to protect their data and access to free credit monitoring services.
“There is no action needed from veterans if they did not receive an alert by mail, as their personal information was not involved in the incident,” according to the statement.
The breach announcement comes five weeks after FSC issued a request for information for cybersecurity audit services.
“The contractor shall provide a gap analysis on which cybersecurity tools, processes, and controls the government should employ and provide recommendations of methods to improve visibility as well as incident response time following VA best practices,” the RFI states.
The agency is in the midst of a major overhaul of its financial services system projected to cost $2.5 billion by the time it’s finished.
In December, VA officials told members of the House Veterans Affairs Committee subcommittees on Technology Modernization and Oversight and Investigations that the project had seen significant delays and cost overages from the original plan, which would have cost $887 million and been completed by 2025.
Officials now say the project is on track to be completed by 2030 or sooner, if all goes well.
This story is breaking and will be updated as Nextgov gets new information.