The US Department of Defense is notifying tens of thousands of people that their personal information was exposed in an email data breach last year.
According to the breach notification letter sent to affected individuals on Feb. 1, the Defense Intelligence Agency — DOD’s military intelligence agency — said, “numerous emails were inadvertently exposed to the Internet by a service provider,” between Feb. 3 and 20 February, 2023.
TechCrunch has learned that the breach disclosure letters relate to an unsecured US government cloud email server that routed sensitive emails to the open Internet. The cloud email server, hosted in Microsoft’s cloud for government customers, was accessible from the Internet without a password, likely due to a misconfiguration.
DOD is sending breach notification letters to about 20,600 people whose information was affected.
“As a matter of practical and operational security, we do not comment on the state of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that led to the report. DOD continues to work with the service provider to improve cyber incident prevention and detection. Notification to affected individuals is ongoing,” said DOD spokesman Cdr. Tim Gorman in an email to TechCrunch.
DefenseScoop reported for the first time news about breach notification letters.
TechCrunch exclusively reported in February 2023 that the DOD leaked about three terabytes of internal military emails, some of which involved the US Special Operations Command, or SOCOM, which conducts special military operations overseas. Some of the exposed information included sensitive personnel information and questionnaires from prospective federal employees seeking security clearances.
Anyone with the public IP address of the exposed cloud email server could access the sensitive but unclassified emails using just a web browser.
Security researcher Anurag Sen discovered the exposed data being leaked online and enlisted TechCrunch’s help in reporting the data exposure to the US government. TechCrunch reported the leak to SOCOM on February 19. The cloud email server was secured on February 20 after TechCrunch escalated the incident to senior US government officials after receiving no response.
It is unclear why DOD took a year to investigate the incident or notify those affected.
A Microsoft representative did not respond to a request for comment.
