The United States Marine Corps Force Reserve has become a victim of a massive data leak this week due to which sensitive, private data of around 21, 426 Marines, sailors, and civilians got exposed. Reportedly, on the morning of Monday, 26th February, the Defense Travel System or DTS of the Defense Department sent an unencrypted email to the wrong email distribution list.
This email contained an attachment, which actually was like a treasure trove of valuable sensitive and confidential personal information including bank account numbers, truncated social security numbers, bank routing numbers, bank electronic funds transfer numbers, truncated credit card information, mailing addresses, emergency contact information and residential address of thousands of Marine Corps personnel and civilians, stated Marine Forces Reserve’s spokesman Maj. Andrew Aranda in the official command release.
It must be noted that the DTS is a travel management system that the Defense Department uses for management of officially authorized trips, travel expenses, and itineraries. The unencrypted email was not only unintentionally sent to civilian accounts but also to those accounts that were hosted within the unclassified, official “usmc.mil” Marine domain.
According to Marine Corps Times’ report, currently, it is unclear how many people received this uncalled for email. Maj. Aranda stated that the mistake was “quickly noticed” and the Marine Forces Reserve implemented email recall procedures in order to minimize the number of recipients. Involvement of any malicious threat actor in this misconduct was also ruled out by Maj. Aranda.
“The Marine Corps takes the protection of individual Marines’ private information and personal data very seriously, and we have steps in place to prevent the accidental or intentional release of such information,” said Maj. Aranda.
At the moment, the data exposure is being investigated by the Marine Forces Reserves to evaluate the extent of the breach and the department is also planning to implement favorable, productive changes to improve the security of personal data and prevent similar incidents in the future. The affected personnel and civilians will also be notified about the breach and guidance will be offered by the department to mitigate the risk of identity theft and other frauds.
However, such incident not only poses online threats but also put victims at the risk of being a target by criminals and terrorists for instance in three separate incidents [1, 2, 3] the terrorist group ISIS leaked three “kill lists” containing sensitive and personal details of U.S. Military and Security Personnel. The group also urged its supporters in the United States to follow the list and kill every official on mentioned in the list.
In another incident, Ghost Squad Hackers leaked a list of 2,437 US Army personals including names, emails, phone numbers, Dob, addresses, zip codes, credit card data including types, numbers, expiration date and CVV codes in plain text.
Image credit: Shutterstock
