Thousands of classified documents from the US Air Force (USAF) were accidentally left open for anyone on the internet to see, according to security researchers.
The details of over 4,000 USAF officers were discovered by researchers working at MacKeeper. This included information on personnel such as names, ranks, addresses and social security numbers.
The researchers said the device was misconfigured and thus publicly available to anyone with an internet connection. They said it contained backup data and appears to belong to a Lieutenant who didn't realise that it was not secured.
According to researchers, at the bottom of each page is a notice that reads: “Under the Privacy Act of 1974, you must safeguard personnel information retrieved through this system. Disclosure of information is governed by Title 5, United”
The researchers said that the most shocking document was a spreadsheet of open investigations that included the name, rank, location, and a detailed description of the accusations.
“The investigations range from discrimination and sexual harassment to more serious claims,” the researchers said in a blogpost.
Another leaked document included Defense Information Systems instructions for encryption key recovery.
“This is a comprehensive step by step guide of how to regain access to an encryption key and all of the URLs where someone can request information regarding a Common Access Card (CAC) and Public Key Infrastructure (PKI). The possible danger of leaking the email addresses and personal information of senior military officials is that through social engineering and other methods, bad actors could potentially gain access,” said the researchers.
The researchers also managed to find a scanned image of the Lieutenant's JPAS account (Joint Personnel Adjudication System) from the US Department of Defence. This included the login URL, user ID and Password to access the system.
Lee Munson, security researcher at Comparitech.com, told SC Media UK that the issue begs the question of what a US lieutenant colonel was doing with an unsecured drive full of personal information in the first place.
“Such a leak in the civilian sector would be of serious concern to those compromised, the organisation itself and the appropriate industry regulators,” he said. “Within the US army, such a basic and avoidable mistake is totally unforgivable, especially considering the nature of what it does and the fact that the leaked data is ripe for blackmailing purposes.”
“The senior officer responsible will, I suspect, be very fortunate indeed not to appear on the next list of open investigations that find their way onto, what I hope, will be a secured backup drive next time around.”
Robert Capps, VP of business development at NuData Security told SC that this is a serious data leak, which allows nation states to target high-value military personnel for additional attacks and surveillance.
“If that weren't bad enough, this highly detailed data could potentially be combined with stolen personal data from other data breaches already available on the dark web to create rich profiles of these individuals,” he said.
“Such profiles can be leveraged by cyber-criminals and nation-state actors to not only track military personnel, but also use their real identities for account takeovers, apply for new credit, and much more. The military personnel dinvolved in this incident should immediately request a credit freeze with the major credit bureaus, and keep close track of account activity through commercial credit monitoring services, or monitoring of their own accounts.”