Sensitive emails of the US military were leaked to the Internet
The U.S. Department of Defense on Monday secured an exposed server that leaked internal U.S. military emails to the open Internet over the past two weeks.
The exposed server was hosted in Microsoft’s Azure government cloud for Defense Department customers, who use servers that are physically separated from other commercial customers and as such can be used to share sensitive but unclassified government data.
The exposed server was part of an internal mailbox system that stored about three terabytes of internal military emails, many of them related to the US Special Operations Command, or USSOCOM, the US military unit tasked with conducting special military operations.
A misconfiguration left the server without a password, allowing anyone on the Internet to access the sensitive mailbox data inside using just a web browser, just by knowing their IP address.
The server was loaded with internal military emails dating back years, some of which contained sensitive personnel information. One of the leaked files included a completed SF-86 form, which is filled out by federal employees seeking security clearance and contains highly sensitive personal and health information to screen people before that they receive permission to handle classified information.
These personnel questionnaires contain a significant amount of background information on security clearance holders that is valuable to foreign adversaries. In 2015, suspected Chinese hackers stole millions of sensitive background check files of government employees seeking security clearance in a data breach at the US Office of Personnel Management.
None of the restricted data appears to be classified, which is consistent with USSOCOM’s civilian network, as classified networks are not accessible from the Internet.
According to a listing on Shodan, the mailbox server was first identified as leaking data on February 8. It is not clear how the mailbox data was exposed to the public Internet, but it is likely due to a misconfiguration caused by human error.
USSOCOM spokesman Ken McGraw said in an email Tuesday that an investigation, which began Monday, is ongoing. “We can confirm at this time that no one has breached the US Special Operations Command’s information systems,” McGraw said.
It is not known whether anyone other than Sen found the exposed data during the two-week window when the cloud server was accessible from the Internet.