A United States Air Force officer appears to have accidentally exposed extremely sensitive information including the personal information of over 4,000 Air Force officers (names, contact information, ranks, Social Security Numbers, etc.), clearance-application-related information, information about on-going Air Force investigations related to sexual harassment and financial crimes, and instructions for recovering keys used to encrypt military documents. Personal information related to the spouses of Air Force officers also appears to have been made available on the Internet.
How could this possible happen?
The source of the leak appears to be an improperly configured backup drive (or other form of backup device) belonging to a Lt. Col. (whose login credentials to a military system were found in the dump) who apparently did not realize that the Internet-accessible device was not secured.
How do we know that this happened?
The trove of data was recently discovered online by security researchers at MacKeeper, and, thankfully, was taken down shortly thereafter.
What is the danger from this leak?
It is not clear yet if any hostile parties obtained copies of the data while it was publicly accessible.
There is potentially serious danger to national security if anyone did - hostile parties can use the information to cause aggravation for officers (by stealing their identities) and thereby reduce their expected productivity, as well as to identify targets for recruitment as spies. The data contains a list of which officers have which level clearances, and also has records from their clearance applications including details about their finances, criminal records, mental health history, relationships with citizens of foreign countries, and other private matters. Hostile parties may be able to ascertain from the data which officers are under financial pressure and can be recruited with financial incentives, which officers have relatives who may be loyal to other countries, etc. Clearly, the Air Force will need to investigate and take precautions.
What are the lessons to all of us from this incident?
Encrypt all sensitive information - including when it is stored, when it is transported, and when it is backed up.
2. Confirm that security is implemented properly.
Verify that anything you connect to the Internet is secured the way you expect it to be.
3. Understand that everyone can make cybersecurity mistakes
Even military officers who receive data protection training can make serious cybersecurity mistakes - so, don't think that you are infallible. I know I am not.
Here are some comments on the Air Force leak incident from some others in the field:
Jonathan Sander, CTO, STEALTHbits Technologies:
"When people see that a system misconfiguration leads to sensitive data like the USAF top secret data leaking out, they often conclude that the admins are only human and there's only so much they can do. The problem is that is the end of their thought, instead of moving to the realization that their humans desperately need automated help. This was found, luckily, by a good guy using automated scanning to see what they could find. It's the kind of thing that can be - and may have been - found by the bad guys. They are using automation to do their work, and we need the government to equip our good guys to do the same."
David Vergara, Head of Global Product Marketing, VASCO Data Security:
"Hollywood plays up sophisticated methods to gain access to sensitive data as it makes for great movies, but the reality is most leaked data results from easy targets like an unsecured drive left behind at an airport or cab and other low-tech schemes. Regardless of the leak point, there is a simple "silver bullet" that secures data, it's encryption. Modern encryption solutions are not only widely available for all types of end-point devices they're also inexpensive. Especially in light of the costs that businesses and, of course, the government will now shoulder to protect (i.e. credit monitoring) individuals affected, address related fines and repair the brand. Businesses and government agencies are getting better about utilizing encryption, but it needs to be deployed more ubiquitously across mobile, network, storage and other channels. Once encryption has been addressed, then they can focus on other vulnerabilities like mobile malware."
Robert Capps, VP of Business Development, NuData Security:
"This is a serious data leak, which allows nation states to target high-value military personnel for additional attacks and surveillance. If that weren't bad enough, this highly detailed data could potentially be combined with stolen personal data from other data breaches already available on the dark web to create rich profiles of these individuals. Such profiles can be leveraged by cybercriminals and nation-state actors to not only track military personnel, but also use their real identities for account takeovers, apply for new credit, and much more. The military personnel involved in this incident should immediately request a credit freeze with the major credit bureaus, and keep close track of account activity through commercial credit monitoring services, or monitoring of their own accounts."