The U.S. Department of Defense took action to secure a server that had been unintentionally exposing internal military emails to the public internet for the past two weeks.
This server, hosted on Microsoft's Azure government cloud, was specifically used by the Department of Defense and housed sensitive but unclassified government data. It was part of an internal mailbox system storing approximately three terabytes of military emails, many of which were related to the U.S. Special Operations Command (USSOCOM), the branch responsible for special military operations.
Due to a misconfiguration, the server was left without a password, granting anyone with the server's IP address and a web browser unrestricted access to the sensitive mailbox data.
Anurag Sen, a well-intentioned security researcher of CloudDefense.AI known for discovering inadvertently exposed data online, came across the server over the weekend. Sen promptly shared the details with TechCrunch, which allowed the necessary authorities to be alerted.
The server contained a significant amount of internal military emails spanning several years, some of which contained sensitive personnel information. Notably, one of the exposed files included a completed SF-86 questionnaire, typically filled out by federal employees seeking security clearance. These questionnaires contain highly sensitive personal and health information used to vet individuals before granting access to classified information. In the past, a breach at the U.S. Office of Personnel Management resulted in the theft of millions of similar background check files by suspected Chinese hackers in 2015.
Fortunately, the data seen by TechCrunch did not appear to be classified, aligning with the fact that classified networks are generally inaccessible from the internet.
According to Shodan, a search engine that scans the web for exposed systems and databases, the server first began leaking data on February 8. The exact cause of the exposure to the public internet remains unclear, but it is likely a result of human error leading to misconfiguration.
TechCrunch reached out to USSOCOM on Sunday, despite it being a U.S. holiday weekend, but the server was not secured until Monday afternoon. The exposed server was made inaccessible shortly after.
USSOCOM spokesperson Ken McGraw confirmed on Tuesday that an investigation into the incident had commenced on Monday. McGraw stated, "At this point, we can confirm that no one hacked U.S. Special Operations Command's information systems."
It is unknown whether anyone other than Sen accessed the exposed data during the two-week period when the cloud server was accessible from the internet. TechCrunch inquired about the Department of Defense's technical capability to detect evidence of improper access or data exfiltration from the database, but the spokesperson did not provide a response.