Updated Thursday, June 30, 2011 at 1:11 p.m. EST
Gannett Government Media – publisher of the Army Times, Defense News, Federal Times and a number of other government news websites – has sustained a digital intrusion that exposed the personal information of subscribers, including U.S. military personnel.
In a message posted to its website Monday, Gannett Government Media said it discovered that attackers on June 7 gained unauthorized access to files containing the personal information of some users. The compromised data includes names, user IDs, passwords, email addresses and, if provided, ZIP codes, military duty status, pay grade and branch of service.
No financial data was compromised, the company said. The attack also prevented some users from accessing all or parts of the targeted sites.
It is not known how many people were affected, nor how the adversaries broke in.
"The number of individuals that were affected was a very small percent of our users of the sites," Elaine Howard, president and CEO of Gannett Government Media, told SCMagazineUS.com in an email Thursday. "The majority of our users do not register for access, therefore personal information was not obtained."
The websites affected include the Air Force Times, Armed Forces Journal, Army Times, C4ISR Journal, Defense News, Federal Times, Marine Corps Times, Military Times, Military Times Edge, Navy Times and Training & Simulation Journal.
The company -- formerly known as the Army Times Publishing Co. before being purchased by media conglomerate Gannett in 1997 -- has advised users to reset their passwords for all Gannett Government Media sites, as well as at other online accounts that use the same email address.
Gannett Government Media has been working with an outside computer forensic firm to investigate the breach and strengthen its security controls, the company said. Email notifications have been sent to affected individuals.
“We deeply regret any inconvenience that this may cause and appreciate your understanding,” the company said in its statement. “We take the security and privacy of your information very seriously and will continue to work diligently to protect your information.”
Harry Sverdlove, CTO of security firm Bit9, wrote in a blog post on Wednesday that Gannett Government Media should be “embarrassed” for storing customer passwords in its databases without encrypting them.
The stolen information will likely be used to perpetrate additional crimes against members of the military and their contacts, he added.
Since users commonly recycle the same passwords for multiple sites, their social networking and email accounts may be targeted in spear phishing attacks that try to siphon even more confidential data, he said.
“[Cybercriminals] use information stolen today to launch deeper attacks tomorrow,” Sverdlove wrote. “If thousands of military personnel passwords have been compromised, the possibility for subsequent breaches is high.”
If recent history is any indication, Sverdlove could be right
In the case of the RSA SecurID breach, for example, criminals leveraged the stolen information in an attack on U.S. defense contractor Lockheed Martin months after the initial breach.