General Dynamics Employee Accounts Compromised

Aerospace and defense giant General Dynamics has disclosed that threat actors successfully compromised dozens of employee benefits accounts following a phishing campaign targeting its personnel. The attack highlights the persistent risks associated with phishing and underscores the importance of robust cybersecurity measures.

Discovery of the Attack

The unauthorized activity was detected on October 10, 2024, when General Dynamics discovered that attackers had gained access to and made changes to employee benefits accounts. The breach occurred through a login portal hosted by a third-party provider.

The attackers employed a fraudulent advertising campaign that directed employees to a phishing website designed to mimic the legitimate login portal. Once there, employees were deceived into entering their usernames and passwords, which the attackers subsequently used to access their accounts.

Scope of the Breach

General Dynamics reported the breach to the Maine Attorney General's Office, stating that 37 employees were affected. The attackers leveraged the compromised credentials to access sensitive personal information, including:

• Names

• Dates of birth

• Government-issued identification numbers

• Social Security numbers

• Bank account information

• Disability status

In some cases, the attackers even altered bank account details within the compromised accounts. The company immediately suspended access to the affected accounts upon discovering the breach.

Notification and Remediation

General Dynamics began notifying impacted employees on October 10, with follow-up written notifications mailed this week. The company informed affected individuals that their accounts were accessed via the Fidelity NetBenefits system through the Employee Self Service portal.

To mitigate further risk, General Dynamics is offering two years of free credit monitoring services to those impacted. Additionally, employees have been advised to reset their Fidelity account credentials and avoid reusing the compromised credentials for other accounts.

The company emphasized that the unauthorized access was authenticated through the third-party provider and not directly through General Dynamics' internal systems. It also stated that there is no current evidence of ongoing harm or risk to affected employees resulting from the incident.

Broader Implications

This incident follows a series of breaches reported earlier this year by Fidelity Investments, which disclosed that personal information of tens of thousands of individuals was compromised in two separate data breaches. These incidents highlight the vulnerabilities in third-party systems and the potential for attackers to exploit them to gain access to sensitive information.

Recommendations for Employees and Organizations

General Dynamics has urged affected individuals to take immediate action to secure their accounts. This includes resetting credentials, enabling multi-factor authentication (MFA) wherever possible, and monitoring financial accounts for suspicious activity.

For organizations, the incident serves as a reminder to:

1. Enhance Employee Training: Regularly educate employees about phishing tactics and how to recognize fraudulent websites or emails.

2. Implement Strong Authentication: Enforce MFA for all accounts, particularly those with access to sensitive information.

3. Monitor Third-Party Providers: Conduct regular audits of third-party systems and ensure they meet robust security standards.

4. Establish Incident Response Plans: Prepare for rapid response to breaches to minimize damage and protect affected individuals.

Conclusion

The breach at General Dynamics underscores the persistent threat posed by phishing campaigns and the critical need for both individuals and organizations to adopt proactive cybersecurity measures. While the immediate impact of this incident may appear contained, it serves as a cautionary tale about the vulnerabilities that attackers exploit in third-party systems and the importance of securing sensitive employee data.