Sensitive US Air Force data found exposed online

A misconfigured, unsecured backup drive containing a huge amount of sensitive (but not classified) data on US Air Force officers has been sitting online, accessible to anyone, for who knows how long.

The discovery was made by MacKeeper security researchers, who managed to pinpoint the owner of the device – a Lieutenant in the force – and notify him of the danger.

The contents of the drive

Among the documents on the drive the researchers found were:

• Personal information (names, addresses, ranks, Social Security numbers) of over 4,000 officers.
• Information about the security clearance levels of hundreds of officers
• SF-86 application forms for two US four-star generals (containing highly sensitive info such as their foreign contacts and activities, psychological and emotional health, financial record, etc.)
• A file that contains Defense Information Systems instructions for encryption key recovery
• A scanned image of the Lieutenant’s JPAS account (Joint Personnel Adjudication System) from the Department of Defence (with the login url, user ID and Password to access the system)
• Some NATO documents
• Scans of passports
• Email files

“The most shocking document was a spread sheet of open investigations that included the name, rank, location, and a detailed description of the accusations. The investigations range from discrimination and sexual harassment to more serious claims. There were many other details from investigations that neither the Air Force or those being investigated would want publically leaked,” the researchers noted.

It’s impossible to tell who else might have accessed the drive before the researchers flagged it and it was taken offline, as the device was easily discoverable with a simple online search.

There’s a wider problem

It is widely known that all kinds of information can be found exposed online, in unsecured servers, databases, and devices.

Unfortunately, this particular situation doesn’t seem to get any better with time, despite the fact that inadvertent leakage of sensitive info is regularly covered by news outlets. People simply don’t know or forget to secure these assets, or misconfigure them by mistake, allowing remote attackers free access.

“Cloud backups are a huge security risk if not managed properly. By failing to use the most basic security measure, a password, the US Air Force left all the information necessary to carry out a targeted cyber extortion campaign free for the taking,” Vishal Gupta, CEO of Seclore, commented the news.

“And, it remains unclear whether the data was misused – which is likely to remain the case due to the lack of information tracking and auditing capabilities. So, while we’ll never know the exact scope of the damage, this incident should serve as yet another example of why persistent data-centric security controls and auditing tools are needed to assure information isn’t put at risk by users.”

“In all likelihood, the lieutenant colonel responsible for the unsecure backup was completely unaware that he or she was putting this data at risk. Government IT teams must put foolproof measures in place that ensure that regardless of who is acting on or storing sensitive documents, adequate security precautions remain in place. Until then, you can bet this won’t be the last time military personnel unwittingly jeopardize information security,” he concluded.