Post-data breach, DOD held ‘very candid discussions’ with Microsoft
Pentagon leadership is satisfied with the security protocol adjustments Microsoft made in the aftermath of the data spill that exposed the sensitive, personal information of more than 20,000 people early last year, according to the department’s Chief Information Officer John Sherman.
In an interview last week on the sidelines of the annual GEOINT Symposium, the CIO provided new details about his team and the tech vendor’s ongoing response to that massive, but still publicly murky, data breach incident.
“I want to emphasize that Microsoft did a thorough after-action review to determine what happened on that, and to ensure it wouldn’t happen again,” he told DefenseScoop, adding that due to sensitivities he couldn’t elaborate on what was found.
Broadly, Sherman’s responses suggest there’s still much to be revealed regarding the incident’s scope and Microsoft’s immediate handling of the data compromise, which impacted thousands of current and former Defense Department employees, job applicants and partners in February 2023 — though most weren’t alerted about it until a year later.
“I’m not going to be able to confirm which DOD components were affected,” he said in the interview.
As DefenseScoop initially reported when this security incident first came to light, heaps of emails containing personally identifiable information (PII) were inadvertently exposed and accessible online via commercial servers for a little over two weeks.
Although Sherman and other senior officials would not confirm the DOD organizations that had emails and other records unmasked in the breach, screenshots that an independent security researcher shared with DefenseScoop of the data present on the Microsoft server when it was exposed online show sensitive details associated with U.S. Special Operations Command personnel.
The text included multiple military officials’ names, spouses’ names and addresses — and also detailed a variety of other personal information including but not limited to their religious preferences, the churches they attend, their pets and overall deployment history.
“What I will tell you is that we worked very closely with Microsoft on this to see what happened. They were very forthcoming about what happened, and they adjusted their procedures to make sure that this would not happen again, in terms of the personally identifiable information, or PII that was compromised,” Sherman told DefenseScoop.
“And so this isn’t us raking them in over the coals or anything like that, but we had some very candid discussions at my level to protect our service members and civilians. But I will not be able to go through the affected entities within DOD,” he added.
Sherman said he wanted to give Pentagon Deputy Chief Information Officer for Cybersecurity David McKeown and his team “a shout out” for working closely with the impacted military components and Microsoft to respond to the incident.
In September 2023, the department awarded an identity protection services-focused contract for a vendor to notify and support all individuals who had data unmasked in the breach.
Sherman could not immediately confirm whether everyone involved has been notified of the exposure to date.
He also wouldn’t supply in-depth information regarding what was believed to be the original cause of the data spill, though he broadly pointed to “cyber hygiene and configuration management.”
“I won’t get into a lot of details. This is just kind of, from my words, just kind of [about] good housekeeping here of procedures and adhering to procedures. And again, Microsoft, the vendor, has been very transparent on this — as with any entity that’s gone through something on being forthright on what needed to be fixed. [The DOD’s zero-trust concept] is kind of about this. But part of this is just when you say you need to do A, B, C, and D, you have to do those things — and double check it to make sure all the barn doors are closed, that should be closed,” Sherman said in the interview.
On Tuesday, a Microsoft spokesperson declined to comment.
The company is one of four major U.S. technology giants competing for individual task orders to ultimately provide the Pentagon’s envisioned enterprise cloud capability that will underpin vital data workloads to enable future military operations.