The Navy is pressing private contractor Hewlett Packard Enterprise to pay for credit monitoring services for sailors affected by a data breach that exposed more than 130,000 social security numbers, a defense official familiar with the ongoing investigation said.
The request comes as the investigation into the breach has also expanded to include the FBI, which has joined with Naval Criminal Investigative Service in probing the case, said the official who spoke on background to discuss an ongoing investigation.
HPE, which contracts with the Navy to manage personal information for thousands of sailors, declined to comment on the breach, the investigation or whether the company intends to pay for the credit monitoring for sailors.
"The security and privacy of our clients is a top priority for Hewlett Packard Enterprise (HPE)," said Thomas Brandt, a spokesman for the contractor. "This event has been reported to the Navy and because this is an ongoing investigation, HPE will not be commenting further out of respect for the privacy of our Navy personnel."
Providing credit monitoring is a standard practice for companies and organizations who suffer cyber-attacks that expose personal information that could be used to open unauthorized bank and credit card accounts.
The breach became public Nov. 23 when the service announced that a computer supporting a contract that dealt with reenlistment and career data was "compromised." Names and social security numbers of 134,386 current and former sailors were accessed and likely extracted from the computer by unknown persons.
The personal data came from the Career Waypoints database, known as C-WAY, which sailors use to submit requests for re-enlistment and to change Navy Occupational Specialties. Most are expected to be active-duty sailors, but the service says it's possible that some are now in the selected reserve or could be totally out of the Navy, too.
Navy officials initially thought that detailed information on sailors’ security clearance levels was also accessed, but investigators now believe that was unlikely, the defense official said.
This is at least the second major breach of Navy data linked to its contracting activities with Hewlett Packard. In 2013, the service announced that Iran had penetrated its unclassified Navy and Marine Corps Intranet.
In March 2014, the Wall Street Journal reported that the breach was due to a sloppily written contract with Hewlett Packard that didn’t require HP to provide security for some of the Navy’s unclassified databases.
Senior Reporter Mark D. Faram contributed to this report.