DOD Leaves Confidential Information Exposed On Server For Weeks
Reports have surfaced this week that the U.S. Department of Defense (DOD) left a server containing three terabytes of sensitive internal military emails exposed online without a password for two weeks due to a misconfiguration. The vulnerability would have allowed any person with internet access to access all of the mailbox data if they knew the server’s IP address.
An independent cybersecurity researcher discovered the open server, and after alerting the DOD, the server was reportedly secured by Monday afternoon.
The server was hosted on Microsoft’s Azure government cloud, which is used by DOD customers and contained highly sensitive personnel information, including a security clearance questionnaire that could be valuable to foreign adversaries. The form seeks personal and confidential information, including Social Security numbers, birthdates, addresses, and other identifying information about personal references provided for security clearances.
Most of the emails contained in the mailbox were from the U.S. Special Operations Command, a military command responsible for conducting special operations missions worldwide. The mailbox server was first detected as spilling data on February 8. The leak is believed to be due to human error. The data contained in the mailbox was apparently not classified, as “classified servers” are not connected to the open internet for obvious security reasons.
In 2015, Chinese hackers stole millions of sensitive background check files of government employees who sought security clearance in a data breach in the U.S. Office of Personnel Management.
A senior U.S. defense official confirmed with Fox News that the server was left exposed and allowed internal emails to be accessed. However, it is unclear if anyone accessed the data during the two-week window that the server was accessible from the internet. Reporters with TechCrunch asked the DOD if they could view logs or detect improper access. A spokesperson for the department was unable to provide a specific answer.
U.S. Special Operations Command spokesperson Ken McGraw stated that an investigation had begun. Still, there is no evidence that anyone had hacked USSOCOM’s information systems.
DOD was very fortunate in avoiding a highly damaging security breach. The data exposure could have been disastrous, considering the years of personnel information left unprotected for an extended period.