A data breach that exposed personal information from over 20,000 individuals linked to the US Department of Defense (DOD) has raised concerns. After the incident was discovered in February 2023, email exchanges with personally identifiable information (PII) were left exposed for over three weeks.
Due to a third-party service provider misconfiguration, the names, addresses, credit card information, and possibly Social Security numbers of former DoD personnel, job applicants, and partners were exposed. The defense department denies misusage, but the year-long delay in reaching out to impacted individuals raises data security and internal communication issues.
A Pentagon spokesperson confirmed that the data breach impacted over 20,600 people. Due to operational security standards, the representative declined to discuss the US Department of Defense's networks and systems. They certified that the vulnerable server was protected on February 20, 2023, and the misconfiguration vendor fixed the vulnerabilities.
(Photo : Alex Wong/Getty Images)The Pentagon is seen from a flight taking off from Ronald Reagan Washington National Airport on November 29, 2022 in Arlington, Virginia.
While the DoD has implemented corrective measures to secure the exposed server and enhance detection protocols, the delayed notification requires further scrutiny. The notification document, as reported by DefenseScoop, states: "While there is no evidence to suggest that your PII was misused, the department is notifying those individuals whose PII may have been breached as a result of this unfortunate situation."
While the Pentagon spokesperson did not disclose the exact date notification efforts began, they assured that the Department of Defense is actively working with the service provider to improve cyber security measures, including prevention, detection, and communication.
Additionally, the Defense Intelligence Agency (DIA) informed affected individuals through a letter that the department has collaborated with the service provider to understand the incident and implement safeguards for the future. These safeguards include revised procedures and enhanced anomaly detection capabilities.
Data Leakage: A Recurring Issue in DoD
This recent data breach incident follows another data security lapse that plagued the DoD last year. Millions of emails intended for Pentagon employees were mistakenly sent to Malian email accounts due to typos in domain names.
This prior disclosure exposed sensitive information like X-rays, medical data, identity documents, ship crew lists, base staff lists, maps, photos, naval inspection reports, contracts, criminal complaints against personnel, internal bullying investigations, official travel itineraries, bookings, and tax and financial records, according to Financial Times.
However, in recent years, misdirected DOD emails have decreased, but hundreds still arrive daily. According to CNN, Some emails contain sensitive information, but most are spam. Nevertheless, this incident highlights the recurring challenges faced by the DoD in securing sensitive data.
Sensitive Military Data Being Sold Online
Recently, Axios reported a concerning finding by a Duke University study stating that data broker websites sell sensitive and comprehensive personal information of thousands of active-duty and veteran US military personnel for as low as one cent per name.
This discovery impacts current and former military people, their families, and friends since bad actors may easily access and exploit this data. The analysis shows that the data might be used for blackmail and disinformation operations.
According to the November report, the obtained data includes military personnel's full names, physical and email addresses, health and financial information, ethnicity, religion, and political affiliation. The data also covers residence, marital status, and child status. Some children's ages and genders are available.