The US Navy has canceled all of its roughly 22,000 purchase cards “to minimize unauthorized purchases” after finding that a hacker had accessed 13,000 card numbers and billing records from an internal server. Citibank, the issuing bank involved, has not detected any unusual activity since the hacker probed the server between July 10 and 24, 2003, and is issuing replacement cards. Since most of the cards have a USD 2,500 spending limit, the Navy is reviewing requests for emergency purchases on a case-by-case basis after a spate of unauthorized purchases in the past few years, mainly on luxury goods and services.
“You’d think the military would have some of the best [security] systems in place”, said consultant, Doug Howard, of Counterpane Internet Security, “but often you’ll find the administrative networks segmented from the DOD and that maybe they don’t provide as much security as the core networks”. In this case, the card numbers were stored in plainly readable form inside invoices, which the hacker began downloading from the site on July 24, 2003. By July 30, 2003, the Navy had found the breach after a logistics center reported heightened activity on a server holding invoices for Citibank cards in its purchase card program.
The Department of Defense does not know how the hacker accessed the server, or if any false purchases were made before the breach came to light, but is taking action, according to spokesperson, Glenn Flood. In an endeavor to tighten up its purchasing card program, the DOD earlier this year installed a data-mining capacity to screen and identify high-risk transactions such as the purchase of an item that can be appropriated for personal use, a PDA or large items of office furniture. By this means, the DOD aims to prevent employee abuse of its purchase cards, which were introduced for greater day-to-day efficiency.
|
