A data breach can be an embarrassing admission for a company, but when it comes to a leak of government controlled data, particularly in regards to the sort of sensitive information held by national security agencies and the military, the stakes can become a lot higher. It appears that the US Department of Defence has had to make just such an admission, as it notified an estimated 20,600 individuals that some of their email messages and potentially personal information contained within had been exposed to the internet at large.
The breach occurred last year between February 3 and February 20, and has been attributed to an unsecured US government cloud email server hosted on Microsoft’s cloud for government customers (via TechCrunch). The server was believed to be accessible during this period without password access, meaning anyone with the public IP address could view the emails contained within using nothing but a web browser.
As a result the DOD has since sent breach notification letters to the estimated 20,600 individuals affected, which is probably a pretty hair-raising thing to receive in your mail box if you’d been working under the fairly reasonable assumption that your communications with or within the US Department of Defence were kept secure.
The leak is likely down to a simple misconfiguration of server settings, but as to the content within and further information, the DOD remains tight-lipped. Spokesperson Cdr. Tim Gorman said “As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access as of February 20, 2023, and the vendor has resolved the issues that resulted in the exposure”.
Thinking of upgrading?
Windows 11 review: What we think of the latest OS.
How to install Windows 11: Our guide to a secure install.
Windows 11 TPM requirement: Strict OS security.
While this isn’t the greatest look for Microsoft’s cloud platform, and a bit of an embarrassing admission, data breaches on a much larger scale than this from a variety of vendors have become depressingly common.
The “mother of all breaches” containing over 26 billion records of private user data was discovered back in January, while popular US communications carrier Verizon has also hit the headlines recently with a breach of 63,000 employees personal data.
Still, you could be forgiven for assuming that data kept by government agencies was kept in a more secure fashion, but the truth is these agencies still rely on cloud based solutions provided by major companies, and those solutions are just as liable to accidental exposure or a malicious attack as the rest of them.
Whether it’s a coordinated effort to steal data or something as simple as the misconfiguration of some server settings, the truth is that once you pass your information onto the interwebs, no matter who is handling the data, there is a real risk it can be exposed, even if you follow all the best practices yourself.