The credit union used by members of the U.S. armed forces and their families has admitted that a laptop infected with malware was used to access a database containing the personal and financial information of customers.
The Pentagon Federal Credit Union (PenFed) issued a statement to the New Hampshire Attorney General that said data, including the names, addresses, Social Security Numbers and PenFed banking and credit card account information of its members were accessed by the infected PC.
The full size of the breach is not known, but 514 New Hampshire residents were affected, which suggests that the breach could affect tens of thousands of current and former members and family of military, Department of Homeland Security, and Department of Defense. By comparison, a breach by the touring firm Twin America, disclosed in December, 2010, affected around 300 New Hampshire residents, but 100,000 people nationally.
PenFed was chartered in 1935 and now serves close to one million members of the military and defense related agencies, with $15 billion in assets, according to the credit union’s Web site.
The organization said it learned of the attack on December 12 and immediately took action to eliminate it. PenFed says it has identified the means by which the information was accessed and taken steps to prevent a similar breach from occurring. It has also reissued credit and debit cards to affected customers.
PenFed says it doesn’t know of any efforts to misuse the stolen information, but the organization’s connection to members of the military, Department of Defense and other U.S. government agencies may well raise the spectre of state-sponsored attack that may, or may not have a financial motive.
A recent report by the Department of Defense’s Defense Security Services concluded that Internet bases spying and targeted attacks connected to foreign governments continue to be a major concern, with malware and targeted “phishing” attacks on government employees offering a “low cost, high gain” method of obtaining sensitive data.