Graphic by Pixabay/Illustration by CNET

An agency under the US Department of Defense was hit by a data breach that affected personal information. Hackers stole Social Security numbers, names and other personal data, a department spokesman said Thursday.

The Defense Information Systems Agency, or DISA, is responsible for providing IT support to combat missions, in addition to securing White House communications, according to the agency's website.

Department of Defense spokesperson Charles Prichard confirmed Thursday the agency had detected a breach of personally identifiable information on a system it hosts, and was in the process of notifying those affected by letter. The breach affected people associated with the Defense Department. They will also receive a follow-up letter with more information about how the agency will help them respond to the incident. That'll include free credit-monitoring services for everyone involved, he said.

"DISA has conducted a thorough investigation of this incident and taken appropriate measures to secure the network," Prichard said.

The breach occurred between May and July 2019, according to Reuters, which reported the story earlier Thursday. Other major data breaches that exposed Social Security numbers include the hack of the US Office of Personnel Management in 2015 and the attack on Equifax in 2017. Stolen Social Security numbers create a risk of identity theft.

Prichard said DISA has no evidence the stolen information has been misused, but security experts note that it's very difficult to track how a specific data breach leads to later crimes.

With a stolen Social Security number, criminals may open new lines of credit, or use it to claim government benefits and tax refunds, among other things. The FTC and the Identity Theft Resource Center both provide advice on how to respond if you're affected by a data breach that includes your Social Security number or other sensitive information.

Originally published Feb. 20, 12:30 p.m. PT.

Update, 2:01 p.m.: Adds information about the breached data and who it belonged to.