A Department of Defense server hosting sensitive internal military emails was left exposed online without a password for two weeks due to a misconfiguration, TechCrunch reported.
The outlet explained that anyone with internet access and knowledge of the server’s IP address would have been able to view the sensitive mailbox data.
The Pentagon’s exposed server, hosted on Microsoft’s Azure government cloud used by DOD customers, contained three terabytes of sensitive internal military emails with years of personnel information. Most of the emails pertained to U.S. Special Operations Command, a military command responsible for conducting special operations missions worldwide.
At least one exposed email included a security clearance questionnaire containing a federal employee’s highly sensitive personal and health information. The outlet explained that sensitive employee background information could be valuable to foreign adversaries.
TechCrunch noted that none of the data appeared to be classified, which is consistent with USSOCOM’s civilian network. Classified servers are not connected to the internet to ensure security.
The open server was discovered by an independent cybersecurity researcher, Anurag Sen, who was running vulnerability tests over the weekend. TechCrunch estimated that the leak occurred as early as February 8 and likely resulted from human error. After alerting the DOD on Sunday, a senior Pentagon official confirmed that the information was passed along to USSOCOM, and the agency secured the server by Monday afternoon.
U.S. Special Operations Command spokesperson Ken McGraw told the news outlet, “We can confirm at this point … no one hacked U.S. Special Operations Command’s information systems.” He noted that DOD launched an investigation on Monday into what caused the error.
At this time, it is unclear if anyone other than the security researcher who reported the issue accessed the sensitive data during that two-week timeframe. A DOD spokesperson did not specify if the agency has the ability to view logs or detect improper access.
KOMO-TV reported that a USSOCOM spokesperson declined to provide additional details regarding the open server and noted that the DOD’s Cyber Command would address questions going forward. Cyber Command has not yet responded to a request for comment, the outlet noted.
Like Blaze News? Bypass the censors, sign up for our newsletters, and get stories like this direct to your inbox. Sign up here!