A misconfigured, unsecured backup drive containing a huge amount of sensitive (but not classified) data on US Air Force officers has been sitting online, accessible to anyone, for who knows how long
The discovery was made by MacKeeper security researchers, who managed to pinpoint the owner of the device – a Lieutenant in the force – and notify him of the danger.
Among the documents on the drive the researchers found were:
- Personal information (names, addresses, ranks, Social Security numbers) of over 4,000 officers, including information about the security clearance levels of hundreds of officers
- SF-86 application forms for two US four-star generals (containing highly sensitive info such as their foreign contacts and activities, psychological and emotional health, financial record, etc.)
- A file that contains Defence Information Systems instructions for encryption key recovery
- A scanned image of the Lieutenant’s JPAS account (Joint Personnel Adjudication System) from the Department of Defence (with the login url, user ID and Password to access the system)
- Some NATO documents, scans of passports and email files
“The most shocking document was a spread sheet of open investigations that included the name, rank, location, and a detailed description of the accusations. The investigations range from discrimination and sexual harassment to more serious claims. It’s impossible to tell who else might have accessed the drive before the researchers flagged it and it was taken offline, as the device was easily discoverable with a simple online search.
There’s a wider problem
It is widely known that all kinds of information can be found exposed online, in unsecured servers, databases, and devices.
Unfortunately, this particular situation doesn’t seem to get any better with time, despite the fact that inadvertent leakage of sensitive info is regularly covered by news outlets. People simply don’t know or forget to secure these assets, or misconfigure them by mistake, allowing remote attackers free access.
“Cloud backups are a huge security risk if not managed properly. By failing to use the most basic security measure, a password, the US Air Force left all the information necessary to carry out a targeted cyber extortion campaign free for the taking,” Vishal Gupta, CEO of Seclore.
“In all likelihood, the lieutenant colonel responsible for the unsecure backup was completely unaware that he or she was putting this data at risk. Government IT teams must put foolproof measures in place that ensure that regardless of who is acting on or storing sensitive documents, adequate security precautions remain in place”” he concluded.