Cyber security researchers found approximately 3 T.B. worth of U.S. military emails containing sensitive information left unattended online. The finding predominantly contained exchanges between military personnel from the U.S. Special Operations Command, or USSOCOM. The combatant command oversees various special operations component commands of the U.S. military, including the Army, Air Force, Navy, and Marine Corps.
Even though the information was sensitive, the emails spilled online did not include any classified information. Top secret networks generally use internal specialized military networks entirely disconnected from the internet. The cyber security researcher named Anurag Sen came across the sensitive information over the weekend and then alerted TechCrunch. A journalist from the tech blog then reached out to the U.S. government on Sunday to inform them about the security incident. USSOCOM secured the server on Monday morning.
In a quote to TechCrunch, USSOCOM spokesperson Ken McGraw said there is an ongoing investigation and confirmed that no one hacked the U.S. combatant command. Even though the server is now secure, the U.S. military has not yet been able to verify whether the information has been accessed by anyone and the type of information that might have been stolen. The now-secured misconfigured server was sitting on Microsoft Azure’s government cloud. Microsoft has not yet released a statement about the incident.
The data was believed to have been left in the open for about two to three weeks before the cyber researcher found it. Anyone from anywhere worldwide could browse through the files if they knew the I.P. address. The cyber security incident is not an attack from a foreign state but a network misconfiguration that left the sensitive info on an unprotected server.
Emails were not the only data on the server; other information included extremely personal questionnaires from government staff. Such questionnaires contain sensitive information, such as social security numbers (SSN) and address info, and are used for vetting personnel seeking security clearance. The answers also include information about people such as relatives and friends of the questioned government staff.
Seeing a U.S. Department of Defense server with emails from many years being entirely left out in the open is scary, but this is not the first time such servers are left unprotected. Over the years, multiple high-profile companies have made the same mistake, and it appears that the U.S. military also occasionally has room for human error.