Pentagon says 26K people impacted by data breach from early 2023


The US Department of Defense (DOD) is notifying more than 26,000 current and former employees, job applicants, and partners whose sensitive personally identifiable information was exposed in a “data breach incident” detected in early 2023, DefenseScoop has learned.

It seems that a certain service provider inadvertently exposed personal email messages. DefenseScoop viewed a notice encouraging longtime DOD officials to sign up for government-provided identity theft protection services.

“This letter is to notify you of a data breach incident that may have resulted in a breach of your personally identifiable information (PII). During the period of February 3rd, 2023, through February 20th, 2023, numerous email messages were inadvertently exposed to the internet by a [DOD] service provider. Unfortunately, some of these email messages contained PII associated with individuals employed by or supporting the DOD or individuals seeking employment with the DOD. While there is no evidence to suggest that your PII was misused, the department is notifying those individuals whose PII may have been breached as a result of this unfortunate situation,” states the document by the Defence Intelligence Agency, dated February 1st, 2024.

ADVERTISEMENT

A Pentagon spokesperson did not comment on the status of networks and systems but clarified that the affected server was removed on February 20th last year and that the incident involved multiple department organizations.

Last year, a US Department of Defense cloud server was found wide open on the internet, leaking vast amounts of sensitive US military emails. Discovered by a white hat hacker, Anurag Sen, the server was left exposed on the internet for at least two weeks before it was taken offline by the government.

Leaked emails dated back years. Some contained sensitive personnel information, completed federal security clearance questionnaires filled with personal health data, or other highly sensitive personal details.

TechCrunch has learned that the breach disclosure relates to this unsecured email server.

The Pentagon server was hosted on the Microsoft Azure Government cloud and was part of an internal mailbox system containing roughly three terabytes of internal military emails – many connected to the US Special Operations Command (USSOCOM).