On Monday, it was discovered that an unsecured server at the Department of Defense (DOD) had been leaking sensitive military emails online for two full weeks. The incident is being blamed on a misconfiguration that left the server without a password.
The server contained files with sensitive personnel information from the past several years, including completed SF-86 questionnaires, which contain background information for personnel with security clearance. The server is a treasure trove of sensitive information for anyone looking to do harm to the U.S.
The compromised server was hosted on Microsoft's Azure government cloud, which is exclusively for DOD customers. The Azure servers are physically separated from those for commercial customers and can be used to share sensitive information, although no classified material. The exposed server acted as part of an internal email system storing roughly 3 terabytes of internal military emails, several of which pertained to U.S. Special Operations Command (USSOCOM), which is the military unit that conducts special operations.
A misconfiguration of the server left it, and its sensitive email contents, without a password and openly exposed on the internet. Anyone could access the server using only an internet browser and the server's IP address.
Data on the server includes military emails, some of which contain sensitive personnel information, dating back years. Included in the exposed emails were several SF-86 questionnaires, which is a document that is completed by anyone seeking security clearance and contains highly sensitive personal background and health information used to vet individuals for possible security clearance. The information contained in the SF-86 questionnaires would be valuable to U.S. adversaries.
Regrettably, this is not the first such breach of sensitive information. In 2015 the U.S. Office of Personnel Management had a significant data breach when a Chinese hacker stole millions of background check files for government employees applying for security clearance.
None of the limited data reviewed by the media thus far has been classified, which is consistent with USSOCOM's civilian network. For security purposes, all classified networks are internal and inaccessible from the internet.
It appears that the vulnerable server was first discovered to be leaking sensitive data on February 8. While it is still unclear exactly how the server came to be dumping data on the public internet, it is most likely due to a misconfiguration, which would have been caused by human error.
The server was finally secured Monday afternoon, and a senior Pentagon official has confirmed that details of the exposure have been passed along to USSOCOM to be handled accordingly.