US Military Notifies 20,000 of Data Breach After Cloud Email Leak

An anonymous reader quotes a report from TechCrunch: The U.S. Department of Defense is notifying tens of thousands of individuals that their personal information was exposed in an email data spill last year. According to the breach notification letter sent out to affected individuals on February 1, the Defense Intelligence Agency -- the DOD's military intelligence agency -- said, "numerous email messages were inadvertently exposed to the Internet by a service provider," between February 3 and February 20, 2023. TechCrunch has learned that the breach disclosure letters relate to an unsecured U.S. government cloud email server that was spilling sensitive emails to the open internet. The cloud email server, hosted on Microsoft's cloud for government customers, was accessible from the internet without a password, likely due to a misconfiguration.

The DOD is sending breach notification letters to around 20,600 individuals whose information was affected. "As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure. DOD continues to engage with the service provider on improving cyber event prevention and detection. Notification to affected individuals is ongoing," said DOD spokesperson Cdr. Tim Gorman in an email to TechCrunch.

Fuck Government

[Anonymous Coward]

Glad they rolled out all that FedRamp compliance bullshit a few years back which caused "the little guys" to not be able to compete, and basically gave Microsoft, Amazon, and Google a free pass to run government services.

Re:Fuck Government

[Valgrus Thunderaxe]

It doesn't sound like it was Microsoft's fault in this case but rather the entity operating the e-mail server.

Re:

[quonset]

Considering how often companies such as Microsoft force people to change passwords on new installations, how/why is this not done for their cloud offerings? Or isn't that part of their security process?

Re:

[Anonymous Coward]

It doesn't sound like it was Microsoft's fault in this case but rather the entity operating the e-mail server.

Did I just get whooshed by you acknowledging that Microsoft Exchange 360 E4 Bedlam DL3 (now with Less CALs!) isn't a mail server, or are you unaware of Microsoft's shitty antiquated 1996-era binary blob store of a mail system?

Space Force?

[laughingskeptic]

The only major DoD organization that small is Space Force with 8,000 active duty. Adding in civilians and contractors would give roughly the number indicated.

Re:

[CaptQuark]

It doesn't have to be an entire military branch. It could have been Special Ops Command, Southern Command, Eglin AFB personnel, soldiers deployed on ships in the middle east, Army Contracting Command, Air Combat Command, etc.

There are plenty of commands and units that could combine to make up the 20,000 individuals that were affected.

Government Cloud

[awwshit]

WTF?

In the Government Cloud it should not be possible to do things like remove all authentication. There should be enforced security by default.

Do as we say, not as we do

[Anonymous Coward]

FCC requires telcos to disclose breaches within seven days. DoD, well shit, they can take year.

Re:

[Anonymous Coward]

DoD requires that I notify them within 72 hours if I have a breach. I need to know the full impacts and have full contact details and traceability on everything, within 72 hours.

“Rapidly report” means within 72 hours [acquisition.gov] of discovery of any cyber incident.