DoD Email Breach: Pentagon Tells Victims 12 Months Late

Personal info of tens of thousands leaks. Microsoft cloud email server was missing a password.

The Defense Department regrets to announce the PII of 26,000 people has leaked. Oh, by the way, this actually happened a year ago—but they’re only now getting around to telling victims.

Close enough for government work. In today’s SB Blogwatch, we see how far DoD can stretch “better late than never.”

Your humble blogwatcher curated these bloggy bits for your enter­tainment. Not to mention: Maaaaaac.

3TB Email FAIL

What’s the craic? Brandi Vincent has the scoop—“DOD notifying more than 26,000 people”:

Unfortunate situation
The Pentagon is in the process of alerting more than 26,000 current and former employees, job applicants and partners that their sensitive personal information may have been exposed online in a “data breach incident” that was first detected in early 2023. … A Pentagon spokesperson … did not confirm which service provider was involved: … “As a matter of practice and operations security, we do not comment on the status of our networks and systems.”

The letter mailed to possible victims of the exposure [states], “A data breach incident … may have resulted in a breach of your personally identifiable information (PII). During the period of February 3, 2023 through February 20, 2023, numerous email messages were inadvertently exposed to the Internet. … Unfortunately, some of these email messages contained PII associated with individuals employed by or supporting the DOD, or individuals seeking employment with the DOD. While there is no evidence to suggest that your PII was misused, the department is notifying those individuals whose PII may have been breached as a result of this unfortunate situation.”

With more craic, Zack Whittaker witters on—“Data breach after cloud email leak”:

DOD took a year to investigate
The breach disclosure letters relate to an unsecured U.S. government cloud email server that was spilling sensitive emails to the open internet. The cloud email server, hosted on Microsoft’s cloud for government customers, was accessible from the internet without a password.

[I] exclusively reported in February 2023 that the DOD was spilling about three terabytes of internal military emails, some of which pertained to U.S. Special Operations Command, or SOCOM, which carries out special military operations overseas. … Security researcher Anurag Sen discovered the exposed data spilling online. … It’s not clear for what reason the DOD took a year to investigate the incident or notify those affected.

How much email? 3TB, says Sead Fadilpašić—“Thousands of DoD personnel may have had their private data leaked”:

Threat actors
The exposed email server was hosted on Microsoft’s Azure government cloud … allowing it to share sensitive, but still unclassified data. This service offers servers that are physically disconnected from commercial customers, and was part of an internal mailbox system that held some 3TB of internal military email.

The database was secured a day after the news broke, but now, almost exactly a year later, the DOD started mailing affected individuals. … We still don’t know if any threat actors found the database.

But why so slow? alexjplant doesn’t sound surprised:

They take six to twelve months to certify bespoke applications built by contractors to the Navy’s spec to run on their networks. A one-year disclosure timeline seems appropriate.

This is unfortunate, but not without precedent. … This already happened almost a decade ago, but in a different department [OPM].

Is this somehow Microsoft’s fault (again)? This Anonymous Coward thinks so:

Glad they rolled out all that FedRamp compliance bull**** a few years back, which caused “the little guys” to not be able to compete, and basically gave Microsoft, Amazon, and Google a free pass to run government services.

Microsoft Exchange [is a] ****ty, antiquated, 1996-era binary blob store of a mail system.

Is there a culture problem at the DoD? throwaway892238 knows the problem:

The big problem is it’s all self-attestation. I’ve worked for one of these vendors, and it was a lot of jack*** business people who didn’t actually care if anything was secure. They just wanted to “pass” their certification as quickly as possible and cut as many corners as they could.

Didn’t want to spend money on a contractor who knew how to actually pass these certifications, so instead they’d just lean on the IT dude and demand he complete things he didn’t know anything about on impossible timeframes, asking him to do things which they might be legally liable for, and basically trying to avoid doing any actual security work if at all possible. Lowers cost [and] gets their project going faster, which helps them land more contracts and get a promotion.

Lest we forget, it leaked because there was no password. aww**** is positively apoplectic:

WTF? In the Government Cloud it should not be possible to do things like remove all authentication. There should be enforced security by default.

Yeah, how does that even happen? hulitu has a snarky answer:

Because Microsoft said that we will all go passwordless now. /s

Meanwhile, Dodge This Security—@shotgunner101—eyerolls furiously:

“Go to the cloud,” they said.
“It will be better,” they said.🫠

And Finally:

When you update on the bleeding edge

TW: Beachball

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past per­formance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: kynd_draw (cc:by-sa; leveled and cropped)

Related Posts