The Navy cancelled all of its purchase cards Thursday after learning that hackers broke into its system, gaining access to 13,000 accounts, according to a news release issued by the Defense Department Purchase Card Program Management Office. As a result, the Navy put a stop on all 22,000 card accounts.
"A DoD team is on site to determine how this happened and what needs to be done to fix the breach," the release stated. "A Defense Criminal Investigative team is also on site to pursue the investigation."
Navy officials are working with its card issuer, Citibank, to open new accounts as quickly as possible. It's not clear yet if any cards have been used for fraudulent purchases.
"Vendors who accept the purchase card and do business with the Navy should be aware that all card accounts have been cancelled and that Citibank is working quickly to re-establish new accounts and cards. In the meantime, emergency purchases are being handled on a case-by-case basis to fully support Navy requirements," DoD said in the statement.
Vulnerabilities in the Navy's purchase card program are not new. Last year, the General Accounting Office found that "a weak overall control environment and breakdowns in key internal controls leave the Navy vulnerable to potentially fraudulent, improper, and abusive purchases" (GAO-02-1041).
GAO noted, however, that the Navy took some steps to improve the situation, including reducing the number of cards issued from 59,000 in 2001 to roughly 22,000 today. Still, GAO found that some Navy personnel were making personal purchases with their cards. GAO urged the service to more closely scrutinize how and to whom cards are issued. The agency watchdog also suggested that the Navy improve training for purchase cardholders.