BAE Systems first notifying employees of extranet site network attack in 2014
On June 4, BAE Systems Information and Electronic Systems Integration Inc. notified the New Hampshire Attorney General’s Office that they had experienced a network attack on an extranet site in 2014. Due to the nature and scope of the attack, they provided a data set to the Pentagon’s Damage Assessment Management Office (DAMO), who subsequently advised them that the files contained sensitive personal information. Further analysis by BAE Systems uncovered additional sensitive personal information in the files (Social Security numbers) that may have been compromised.
In their letter to those affected, BAE states that the purpose of the network attack was “presumably … to steal intellectual property and unclassified defense-related information.”
There is no explanation of why it has taken BAE System so long to notify those affected, but then, they don’t say when they actually first discovered the breach or how they learned of it – only that it occurred in 2014, that DAMO got back to them “earlier this year” with its analysis, and that BAE System then built a pattern-search tool to further analyze the data set to find any sensitive personal information. Nor do they explain why they were unable to determine whether the personal information had been compromised or not.
Those affected were offered a year of credit monitoring with Experian.
The notification does not explain how the attack occurred, nor what steps the firm is taking to prevent a recurrence, other than they have reviewed their policies and procedures.