The Defense Department has agreed to add new security controls to a website designed to verify troops’ and veterans’ military service, steps that were prompted by a lawsuit from a national veterans group.
The site in question was mainly designed for financial institutions to quickly verify whether their customers were covered by legal protections in the Servicemembers Civil Relief Act. But it had essentially no access controls, and allowed literally anyone to anonymously enter a member’s name and date of birth or social security number and get basic details about their service record in return.
Under the terms of the settlement with Vietnam Veterans of America, the Defense Manpower Data Center now requires website users to sign up for an account and provide their names and addresses as part of the registration process. The Pentagon is also implementing new terms of service that warns of criminal penalties if website visitors misuse the data.
The agreement, filed in a federal court in New York on Thursday, also requires DoD to keep detailed analytics to hunt for signs that account holders are abusing the site. The department will turn those details over to VVA, along with statistics on accounts it’s revoked because of abuse, every three months.
DoD has already implemented the login requirement for the SCRA website, and for a similar site meant to help banks find out whether customers are covered by the Military Lending Act. The databases are also used by private vendors such as ID.me and GovX to check customers’ eligibility for military discounts at retail stores .
VVA first sued the government in August 2017, saying it had warned DoD about what it viewed as a serious breach of its responsibility to protect servicemembers’ personal information, but that the department had failed to lock the site down.
The group claimed the Pentagon was violating the Privacy Act as well as the Federal Information Security Modernization Act, which requires agencies to limit their use of Social Security Numbers. Under the settlement, DoD will also make clear that website users can verify someone’s service without their SSN, a step meant to clamp down on unnecessary collection of those details by companies.
According to DoD statistics cited in the lawsuit, the SCRA website handles 2.3 billion requests per year, and the earlier version let any single user make up to 12.5 million queries each day. VVA said it was especially concerned about cyber criminals and terrorists being able to access the data anonymously and with few restrictions.
“Particularly for special ops people, this is really dangerous. That’s why it’s a matter of national security that this thing is so loosey-goosey,” Rick Weidman, VVA’s director for policy and government affairs said in an interview with Federal News Network shortly after the lawsuit’s filing. “You don’t know who’s pulling your information because they don’t track it.”
The revised version of the site still allows access by anyone, so long as they create an account and supply some basic details about who they are. Once they do, it lets them make requests for a single record, or upload a bulk request for up to 250,000 records at a time. The lawsuit had sought to force the department to lock the site down further by restricting its use only to companies that are regulated by the SCRA.
In its lawsuit, VVA said it was clear that the database had been exploited by criminals. As evidence, they named as a co-plaintiff Thomas Barden, a 21-year Air Force veteran who’d been victimized by scammers who gained his trust, in part, by relying on details they gleaned about him from the SCRA website.
According to the suit, a cybercriminal claiming to be from Microsoft called Barden purportedly trying to diagnose problems with his computer. He was convinced they were legitimate because the caller had very specific personal information about him, including the precise dates of his military service. The scammer eventually got remote access to his computer, tried to get Barden to log into his online banking account, and when he refused, locked his computer with a demand for a ransom payment.
“The fact that essentially anyone can access his personal information through the SCRA website has caused Mr. Barden significant further anxiety and stress,” VVA’s attorneys wrote in the complaint. “He is particularly concerned that he could be targeted again by scammers, or that his private information could be misused in other ways.”