The Defense Department is reportedly conducting a new review prompted by an alert from a non-government source that heaps of U.S. military emails containing sensitive personnel data were exposed publicly online this month, via a server hosted on Microsoft’s Azure government cloud.
Security researcher Anurag Sen reportedly discovered the exposure this weekend and flagged it to TechCrunch, the first publication to report on the incident — which it did after notifying the Pentagon.
Sen regularly seeks out and works to safeguard open databases and vulnerable servers holding information that might be sensitive to national security.
“I found out about [this exposure] during a routine check,” Sen told DefenseScoop on Tuesday.
What was probably a misconfiguration issue — likely associated with a human-made error, according to Sen — enabled any person who knew the correct IP address to access certain sensitive military messages and data by typing the code into an internet browser.
“It was that simple,” the cybersecurity researcher said.
Much of the information exposed in this incident allegedly pertained to U.S. Special Operations Command. Sen would not comment on the potential existence of any other, similar vulnerabilities impacting Pentagon data workloads in commercial servers at this time — but suggested that DOD conduct its own “routine checkups” on the commercial cloud services it relies on.
After repeated attempts for clarification on Tuesday, spokespersons from the Office of the Secretary of Defense and Special Operations Command referred DefenseScoop to U.S. Cyber Command regarding this exposure.
DefenseScoop reached out to Cyber Command but a spokesperson there has not confirmed the scope of the investigation into this or the military component that’s leading it. The official also did not verify details from TechCrunch’s reporting, or share how long this data was left unprotected, what information was compromised, and whether DOD is working to confront similar server-related security issues in the near term.
“As a matter of practice and operational security, we do not comment on the status of our networks and systems. Our defensive cyber operators proactively scan and mitigate the networks they manage. Should any incidents be discovered during these regular operations, we fully mitigate, protect, and defend our networks and systems. Any information or insight is shared with relevant agencies and partners if appropriate,” a Cybercom spokesperson said in a statement to DefenseScoop.
Microsoft is one of four major U.S. technology companies currently competing for individual task orders to ultimately provide the Joint Warfighting Cloud Capability (JWCC) – the Pentagon’s envisioned enterprise cloud that is intended to underpin future operations. A spokesperson from the company did not respond to DefenseScoop’s request for comment.
Updated on Feb. 21 at 6:55 PM: This story has been updated to include a statement from a U.S. Cyber Command spokesperson.