On October 12, 2018, the US Department of Defense disclosed that a data breach at an unnamed commercial contractor had exposed travel records — including personal information and payment card data — for approximately 30,000 current and former DoD military personnel and civilian employees. The Pentagon announced it had been notified of the breach by the contractor and had moved to terminate performance under the contractor’s contracts.

The DoD declined to name the contractor, citing ongoing security concerns and the sensitive nature of active contract relationships. Officials noted the breach may have occurred some months prior to its discovery, potentially placing the initial intrusion as early as mid-2018, though the exact date of compromise was not publicly confirmed. The actual scope of the breach could exceed 30,000, as that figure was described as not necessarily final at the time of disclosure.

Data exposed included travel records — itineraries, booking confirmations, travel dates — along with personal identifying information and credit card details associated with official travel transactions. The combination of travel metadata and financial data presented risk for targeted fraud, social engineering, and potentially for adversary intelligence collection about DoD personnel movements.

The DoD began directly notifying all individuals believed to be affected and offered prepaid identity theft monitoring services. Defense Department spokesperson Lt. Col. Joseph Buccino confirmed the breach was limited to the contractor’s systems and had not compromised the DoD’s own networks.

The timing of the disclosure was notable: it came shortly after a Government Accountability Office (GAO) report concluded that US military weapons systems were broadly vulnerable to cyberattacks and that the Pentagon had been slow to implement adequate protections. Critics noted that the DoD’s travel management contracting practices — concentrating large volumes of sensitive personnel data with commercial vendors — created significant third-party risk.

The breach paralleled a broader pattern of contractor and supply-chain compromises affecting US government agencies during this period and reinforced ongoing concerns about the security posture of DoD vendors handling sensitive personnel data.