US Military Cloud Data Breach: Pentagon Notifies 20,600 People Impacted by Email Data Breach

The US Department of Defense (DOD) has recently alerted over 20,000 present and past employees, job applicants, and collaborators regarding a data breach that occurred earlier in 2023, according to a story first reported by DefenseScoop.

The breach notification, sent out on February 1, reveals that the Defense Intelligence Agency, a branch of the DOD specializing in military intelligence, discovered that “numerous email messages were inadvertently exposed to the Internet by a service provider” between February 3 and February 20, 2023.

Essentially, it appears that a service provider unintentionally made personal email messages accessible. DefenseScoop also reported a notification urging long-serving DOD officials to enroll in government-provided identity theft protection services.

The letter sent to those potentially affected explains the breach:

“This letter is to notify you of a data breach incident that may have resulted in a breach of your personally identifiable information (PII). During the period of February 3, 2023, through February 20, 2023, numerous email messages were inadvertently exposed to the Internet by a [DOD] service provider. Unfortunately, some of these email messages contained PII associated with individuals employed by or supporting the DOD, or individuals seeking employment with the DOD. While there is no evidence to suggest that your PII was misused, the department is notifying those individuals whose PII may have been breached as a result of this unfortunate situation.”

PII encompasses any data that could identify someone, such as addresses, Social Security numbers, credit card information, and biometric records. In response to inquiries from the media, a Pentagon spokesperson declined to specify the involved service provider but confirmed that “over 20,600 individuals” were affected.

“As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure,” the official stated.

The spokesperson did not disclose when the department began informing individuals about the breach, which occurred over a year ago.

Regarding ongoing efforts, the spokesperson stated, “DOD continues to engage with the service provider on improving cyber event prevention and detection. Notification to affected individuals is ongoing.”

The letter sent to potential victims also mentions the DIA’s efforts post-incident. It states that the department collaborated with the service provider to understand the breach’s cause and prevent future risks. This involved procedural changes and implementing additional capabilities for detecting anomalies and issuing alerts.

“The incident involved multiple department organizations. Each organization reviewed the affected information to determine whether their personal data was part of the exposure. Following this analysis, a small portion of data from multiple organizations required a secondary review for validation of identities of affected individuals and contact information. This overall assessment process took several months. DOD obtained an Identity Protection Services contract for the affected individuals of these organizations. The contract was awarded in September 2023, and each affected organization has been working actively with the contractor to notify the affected individuals,” the Pentagon spokesperson told DefenseScoop.

Although the spokesperson refrained from commenting on network and system statuses, they clarified that the affected server was removed on February 20 of the previous year and that multiple department organizations were involved in the incident.

In a similar incident last year, a US Department of Defense cloud server was found openly accessible on the internet, leaking a significant amount of sensitive US military emails. Discovered by a white hat hacker named Anurag Sen, the server remained exposed online for at least two weeks before the government took it offline.

The leaked emails, spanning years, contained sensitive personnel information, completed federal security clearance questionnaires containing personal health data, and other highly confidential details.

Hosted on the Microsoft Azure Government cloud, the Pentagon server was part of an internal mailbox system containing approximately three terabytes of internal military emails, many of which were linked to the US Special Operations Command (USSOCOM).