US military reports data breach to 20,000 people after cloud email leak


The US Department of Defense notified tens of thousands of people that their personal information was exposed in an email data breach last year.

According to the breach notification letter sent to affected individuals on February 1, the Defense Intelligence Agency – the military intelligence agency of the DOD – said that “numerous electronic messages were inadvertently exposed on the Internet by a service provider” between February 3 and 20. , 2023.

TechCrunch has learned that the breach disclosure letters concern an insecure US government cloud email server that broadcast sensitive emails over the open Internet. The cloud email server, hosted on Microsoft’s cloud for government customers, was accessible from the Internet without a password, likely due to misconfiguration.

DOD is sending breach notification letters to approximately 20,600 individuals whose information was affected.

“For reasons of security practices and operations, we do not comment on the state of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor fixed the issues that caused the exposure. DOD continues to collaborate with the service provider to improve the prevention and detection of cyber events. Notification to affected individuals is ongoing,” said DOD spokesperson Cdr. Tim Gorman in an email to TechCrunch.

DefenseScoop first reported news of breach notification letters.

TechCrunch exclusively reported in February 2023 that the DOD was dumping approximately three terabytes of internal military emails, some of which involved the U.S. Special Operations Command, or SOCOM, which conducts special military operations overseas. Some of the exposed information included sensitive personal information and questionnaires written by potential federal employees seeking security clearances.

Anyone with the public IP address of the exposed cloud mail server can access the sensitive but unclassified emails it contains using only a web browser.

Security researcher Anurag Sen discovered the exposed data online and sought TechCrunch’s help in reporting the data exposure to the US government. TechCrunch reported the spill to SOCOM on February 19. The cloud email server was secured on February 20 after TechCrunch reported the incident to senior US government officials with no response.

It’s unclear why it took DOD a year to investigate the incident or notify those affected.

A Microsoft spokesperson did not respond to a request for comment.


Leave a Comment

Your email address will not be published. Required fields are marked *