TechCrunch reports that a misconfiguration on a Department of Defense server that hosted sensitive military emails left it online for two weeks without a password.
According to the outlet, anyone who had internet access and knew the IP address of the server could have viewed sensitive mailbox data.
The Pentagon’s publicly accessible server was hosted on Microsoft Azure’s government cloud, which is used by DOD customers. It contained three Terabytes of sensitive military emails and years of personnel data. The majority of emails were from the U.S. Special Operations Command which is responsible for carrying out special operations missions around the world.
One email that was exposed contained a security clearance questionnaire that contained highly sensitive health and personal information about a federal employee. According to the outlet, sensitive information about employees could be valuable for foreign adversaries.
TechCrunch reported that the data was not classified. This is consistent with USSOCOM’s civilian network. To ensure security, classified servers are not connected to the internet.
Anurag Sen, an independent cybersecurity researcher discovered the open server while running vulnerability tests this weekend. TechCrunch estimates that the leak happened as early as February 8, and was likely caused by human error. A senior Pentagon official confirmed the leak to TechCrunch on Sunday. The agency had secured the server by Monday afternoon after the alert was sent to the DOD.
Ken McGraw, a spokesperson for the U.S. Special Operations Command, told the outlet that “We can confirm at present… no one has hacked U.S. Special Operations Command’s information systems.” McGraw noted that the DOD had launched an investigation Monday into the cause of the error.
It is not clear at this point if any other than the security researcher that reported the problem accessed sensitive data within the two-week period. The spokesperson for DOD did not say whether the agency is able to access logs or detect inappropriate access.
KOMO-TV reported on the USSOCOM spokesperson declining to give additional information about the server. However, he said that the Cyber Command of the DOD would answer any questions. The outlet reported that Cyber Command has not responded to a request for comments.