The U.S. Department of Defense is notifying tens of thousands of individuals that their personal information was exposed in an email data spill last year.
According to the breach notification letter sent out to affected individuals on February 1, the Defense Intelligence Agency — the DOD’s military intelligence agency — said, “numerous email messages were inadvertently exposed to the Internet by a service provider,” between February 3 and February 20, 2023.
TechCrunch has learned that the breach disclosure letters relate to an unsecured U.S. government cloud email server that was spilling sensitive emails to the open internet. The cloud email server, hosted on Microsoft’s cloud for government customers, was accessible from the internet without a password, likely due to a misconfiguration.
The DOD is sending breach notification letters to around 20,600 individuals whose information was affected.
“As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure. DOD continues to engage with the service provider on improving cyber event prevention and detection. Notification to affected individuals is ongoing,” said DOD spokesperson Cdr. Tim Gorman in an email to TechCrunch.
DefenseScoop first reported news of the breach notification letters.
TechCrunch exclusively reported in February 2023 that the DOD was spilling about three terabytes of internal military emails, some of which pertained to U.S. Special Operations Command, or SOCOM, which carries out special military operations overseas. Some of the exposed information included sensitive personnel information and questionnaires by prospective federal employees seeking security clearances.
Anyone with the public IP address of the exposed cloud email server could access the sensitive but unclassified emails inside using only a web browser.
Security researcher Anurag Sen discovered the exposed data spilling online and asked for TechCrunch’s help in reporting the data exposure to the U.S. government. TechCrunch reported the spill to SOCOM on February 19. The cloud email server was secured on February 20 after TechCrunch escalated the incident to senior U.S. government officials after not hearing back.
It’s not clear for what reason the DOD took a year to investigate the incident or notify those affected.
A spokesperson for Microsoft did not respond to a request for comment.