The Pentagon is sending out breach notification letters to individuals who may have been impacted by a 2023 email breach.
Back in 2023, it was revealed that a government cloud email server had been connected to the internet without a password requirement. The server was used to share sensitive government data. It was part of an internal mailbox that stored approximately three terabytes of military emails. The server was hosted on Microsoft’s Azure cloud for Department of Defense customers, but was misconfigured and allowed anyone on the internet to access mailbox data by knowing the server’s IP address alone. The vulnerability was found by security researcher Anurag Sen, who helped alert the government.
While the military messages did not contain classified information, they did contain highly sensitive personal and health information for various purposes, including those who had sent it when seeking a security clearance. An online search engine revealed that the data was likely exposed on February 8th, 2023 most likely due to human error. The server was secured by February 20th, 2023.
Related: Human error is inevitable–robust email security is a must
Now, the Pentagon is beginning to alert current and former employees, job applicants, and others that their personal information may have been exposed online. It’s estimated that over 20,000 individuals may have been impacted. According to DefenseScoop, letters to affected individuals are dated February 1st, 2024, and are being sent by the Defense Intelligence Agency.
The letter did not specify what information was exposed, simply noting it included personal identifiable information (PII), which may include addresses, Social Security numbers, credit card information, and more.
A Pentagon spokesperson said, “As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure.”
The spokesperson also said that the Department of Defense would continue improving the prevention and detection of future cyber events.
Regarding the time it took to send notifications, the spokesperson said, “Each organization reviewed the affected information to determine whether their personal data was part of the exposure. Following this analysis, a small portion of data from multiple organizations required a secondary review for validation of the identities of affected individuals and contact information. This overall assessment process took several months.”
This security event highlights the potential for human error to result in data exposure. In this situation, data may or may not have been viewed by malicious actors. Fortunately, no classified information was included, but the release of personally identifiable information could still be problematic for impacted individuals.
Related: HIPAA Compliant Email: The Definitive Guide