The U.S. Department of Defense discovered over the weekend that one of their servers was sharing U.S. military emails out on the open internet for the past two weeks, according to TechCrunch. A missing password was the culprit for the server hosting the Microsoft Azure government cloud used for DoD customers.
U.S. Special Operations Command (USSOCOM) and other DoD customers were impacted by this oversight. Anyone who might know the IP address for the sensitive mailbox data was able to access it for the past two weeks. Security researcher Anurag Sen discovered this oversight this past weekend, reaching out to TechCrunch, who in turn alerted the U.S. government.
SF-86 and other Sensitive Data Exposed
The impacted server did not hold classified information. However, internal military email messages and other sensitive information was exposed. But it wouldn’t be a data breach or system oversight without an SF-86 being impacted. Clearance holders are all familiar with the long questionnaire that holds previous address, information about relatives, social security number, and much, much more. It’s information that no one wants to be shared with hackers – or foreign adversaries. OPM just finished paying out checks to impacted clearance holders from their infamous data breaches when they still held the keys to the personnel vetting kingdom.
USSOCOM Confirms Server Issue
According to TechCrunch, they “contacted USSOCOM on Sunday morning during a U.S. holiday weekend but the exposed server wasn’t secured until Monday afternoon. When reached by email, a senior Pentagon official confirmed they had passed details of the exposed server to USSOCOM. The server was inaccessible soon after.”
USSOCOM confirmed that no one hacked their information systems, and it’s not known or confirmed if anyone discovered the exposed data. No word from the DoD if they have the capabilities to determine how much of the information was accessed by outsiders.
Humans play a key role in cybersecurity. Forgotten passwords or misconfigurations in the system resulting in a missing server password can be the difference between giving our adversaries our information or making them work for it.