A hole in a US military email server operated by Microsoft left more than a terabyte of sensitive data exposed to the internet less than a month after Office 365 was awarded a higher level of government security accreditation.
According to security researcher Anurag Sen, who discovered the blunder and reported it, the openly accessible server was part of an internal mailbox system hosted on Azure Government Cloud and used by the Department of Defense for a variety of purposes – including the processing of security clearance paperwork.
Sen reportedly found the exposed public-facing server over the weekend and determined it was sitting there without a password, allowing anyone who had its IP address and a browser to access the data.
Documents Sen shared with The Register said to be from the exposed server include a rich amount of data that certainly be valuable to a foreign adversary. It included all the usual PII, as well as blood type, religious affiliation, educational background, military service history and more, all in plain text. Sen told us that close to 3TB of data was available before the Azure server was taken offline on Monday.
Per Bloomberg, which said it spoke to individuals at the DoD and Microsoft, both the Pentagon’s Cyber Command and Microsoft are investigating the incident. The server was reportedly accessible to the internet since February 8 before being secured and removed from public access.
Thus far in the probe, there’s no sign the data was accessed by miscreants, DoD sources told Bloomberg.
Blame is good for business, just probably not Microsoft’s
The Pentagon and Microsoft have reportedly blamed each other for the error, but without receiving answers to our questions from either party there’s only so much that can be determined, namely that an internal DoD email server appears to have been given a public IP without any sort of password protection.
No matter who’s to blame, someone messed up. If the DoD’s Inspector General’s office is to be believed, there’s a good chance that the fault lies within the government for misconfiguring its IT environment, and not Microsoft.
An audit of the DoD’s compliance with commercial cloud security requirements published [PDF] earlier this month found that every single branch was failing to properly evaluate commercial cloud service offerings (CSOs).
According to the audit report, authorizing officials “did not review all required documentation to consider the … risks to their systems,” nor did they “consider system risks that were identified in the supporting documentation” as “all five [authorizing officials] believed the [government acquisition] processes were sufficient to mitigate risk to their respective systems.”
With that in mind, said the redacted report, the Inspector General wants CIOs from the Army, Navy/Marines and Air Force to “reevaluate the authorization to operate for the five cloud systems we reviewed,” but didn’t state which systems it investigated.
The government has contracts with Amazon Web Services, Google Cloud, Oracle, and Microsoft for its cloud program, and each offers several services as its part of the deal. The IG report said it examined five cloud systems from three authorized companies as part of the review.
The latest Microsoft system to get approval – Office 365 Government Secret Cloud – is cleared for operation at Impact Level 6, the highest level of classification allowed in the commercial cloud. Other systems approved for DoD cloud use only reach IL5.
Approval for the new security level of Office 365 comes as the federal government tries to build out its $9 billion Joint Warfighting Cloud Capability program authorized late last year that replaced the JEDI program, which intended to award Microsoft the sole cloud contract for the DoD. Amazon, Oracle and Google all complained that making Microsoft the sole awardee would be unfair, leading to the JEDI program being canceled in 2021.
With the DoD and Microsoft now apparently trying to blame each other for an egregious security failure, the window is open for those other three to swoop in and further disrupt the Redmond/DC relationship.
A relationship that, mind you, has already been reassessed once this year and found wanting. ®