The Pentagon has admitted that up to 30,000 military workers and civilian personnel have had their personal information and credit card data exposed following a security breach.

The security breach occurred at a third-party vendor which provides travel management services to the Department of Defense.

The vendor, which has not as yet been publicly identified due to security concerns and ongoing contracts, was not however responsible for informing the Pentagon of the breach. Instead it appears that the DoD’s own computer security team which discovered a breach had occurred.

According to an Associated Press report, it it possible that the breach happened “some months ago,” and that further investigations may uncover that even more staffers were exposed.

The Department of Defense says that it has started notifying individuals affected by the security breach, and that those impacted will be offered prepaid identity theft monitoring services.

Pentagon spokesperson Lt. Col. Joseph Buccino issued a statement confirming the breach does not affect all staff who have used travel management services:

“The Department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information (PII) of DoD personnel maintained by a single commercial vendor that provided travel management services to the Department. This vendor was performing a small percentage of the overall travel management services of DoD.”

The one piece of good news is that it appears no classified material is likely to have been put at risk through the breach.

News of the breach does, however, come at an awkward time for the US Department of Defense which is currently smarting from a report issued last week by the US Government Accountability Office (GAO).

That report concluded that poor security has made next-generation weapons systems easy to hack.

In one case, it was reported that it was possible for unauthorised users to gain access to a weapons system within just one hour, and that the Pentagon was not following basic security practices such as changing default passwords.

“One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed.”

There have, of course, been US government data breaches that have affected a far larger number of individuals than the 30,000 estimated to be impacted in this latest incident.

But that doesn’t make it any less important for organisations like the Department of Defense to consider not only how they best protect their systems, but also how well their third-party service suppliers are securing sensitive DoD data.