A contractor that oversees Department of Defense (DOD) travel records is reportedly to blame for a data breach that exposed sensitive information of at least 30,000 military and civilian employees, reports Gizmodo.

Third-party-related data breaches have been a recurring issue–and a persistent reminder that an organization’s cybersecurity is only as good as the cybersecurity practices of its partners and vendors. Just a few months ago, several large automakers lost corporate secrets due to a vendor’s lax security.

The DOD issue was brought to the attention of leadership on October 4. But an official speaking under condition of anonymity told the Associated Press that the breach could have have happened months ago.

The news comes just a week after other bad news for the DOD. The Government Accountability Office (GAO) issued a report last week highlighting significant vulnerabilities in almost all DOD weapons systems from between 2012 and 2017.

As Gizmodo reports, the exposed data might include personal details as well as credit card numbers. An investigation is underway that could uncover additional information. Gizmodo writes, “And if some 30,000 affected parties sounds like a huge number, the AP’s source also said there’s a possibility that even more staffers could be found to be affected as the investigation into the cyber breach continues.”

Get the full story at Gizmodo.