Commissaries look to limit cyber breaches
By STEVEN BEARDSLEY | STARS AND STRIPES Published: April 11, 2016
The military wants to shore up an agency vulnerable to cyber-attacks — the one overseeing its 240 commissaries.
The Defense Commissary Agency is looking to hire a rapid-response service available within an hour of any incident that breaches payment systems, threatens cardholder data or otherwise disrupts the agency’s systems, according to a contract put out for bid this month.
The service would be the first to assess any suspected attack against agency networks.
“Typical incidents include the introduction of viruses or worms into a network, DoS (denial of service) attacks, unauthorized alteration of software or hardware, and identity theft of individuals or institutions,” the solicitation states.
DeCA’s move follows a larger trend of government and military-related agencies moving to protect customer data in light of high-profile incidents where it was hacked or lost. The personal details of more than 21 million people were exposed in a 2015 hack of the Office of Personnel Management. The Department of Veterans Affairs has been criticized for its failure to protected sensitive information.
Roughly 5.3 million military, retiree and civilian households have access to a military commissary, which sells groceries at a lower markup than commercial supermarkets. Many customers use a credit or debit card, valuable information for anyone able to access agency systems.
The military community has special concerns about personal data. Twice last year, an online group claiming to support Islamic State militants in Syria and Iraq released the personal information of U.S. military members and exhorted sympathizers to kill them. Other attacks have vandalized military websites.
Under the contract requirements, the rapid-response service would be available within an hour of the most serious, or “priority one,” cases — those that threaten DeCA systems or personal information. Other, less intrusive cases, would require a 24-hour response.
The service would gather and analyze evidence from the suspected attack, determine its cause and help DeCA make notifications about the breach. If needed, the one-year contract can be extended for four additional years.
DeCA reported roughly 89 million customer transactions in 2015 for $5.5 billion in sales. Its stores are located in 13 countries and 2 U.S. territories.