Misconfigured Drive Leads to Data Leak of Thousands of US Air Force Officials

The U.S. Air Force Thunderbird Aerial Demonstration Team?s F-16 Fighting Falcons fly over the base flag pole during their demonstration in the Desert Air Show at Luke Air Force Base, Ariz., March 21, 2009. (U.S. Air Force photo by Airman 1st Class Tracie Forte/Released)

Researchers at MacKeeper Security have identified a “misconfigured device,” which was available for public access last week. It was nothing short of a treasure trove of classified data because it contained sensitive personal/official information, backup data and confidential documents belonging to the US Air Force. It has been learned that the device was owned by a Lieutenant who failed to keep it secure by following appropriate measures.

The leaked device has made thousands of US Air Force documents vulnerable. There is sensitive information like passport and social security numbers of high-ranking and senior USAF officials as well as celebrities like Channing Tatum. The entire data is equivalent of several gigabytes. It got leaked because it was stored on an unprotected web-connected backup drive and that’s why it was accessible publicly. It wasn’t protected by password at all however when the news of exposing of such a huge number of USAF files became public; the data was immediately secured.

What MacKeeper Researchers discovered was much more than mere passport and Social Security numbers; the data also contained Personnel by Eligibility and Access Reports having ranks and names of hundreds of service members. There was a notice attached to every page of the documents, which read:

“Under the Privacy Act of 1974, you must safeguard personnel information retrieved through this system. Disclosure of information is governed by Title 5, United.”

It also contained open investigations spreadsheet in which name, rank, accusations and location of the accused were included. It is worth noting that there were all sorts of investigations from sexual harassment claims and accepting of bribes to other more serious crimes. In another file, there were Defense Information Systems instructions stored, which would help in encryption key recovery. This particular file serves as a step-by-step guide on regaining access to an encryption key. This file also contained URLs where requests for information about Public Key Infrastructure (PKI) and Common Access Card (CAC) could be made.

Image Source: ZDNet

Also included in this holy grail of USAF data were scanned images of the Department of Defence’s Joint Personnel Adjudication System (JPAS) account of the Lieutenant. The images contained login URL, login credentials (ID and password) and other details that would help in accessing the account. As apparent, this account is a very sensitive one, and US military would never want to leak such an important detail. There is also a copy of the Training Manual of NATO (North Atlantic Treaty Organization).

Reportedly, the device has personal information of over 4,000 USAF officers and not only official data some files contained information of spouses of officers and other private data. Also part of the leaked data were applications (SF86) for improved national security clearances for two top ranking four-star generals who had held key positions at US military and NATO. The applications contained exclusive personal information such as mental health history, financial information, previous convictions, their links with foreign nationals and similar details. Though the SF86 data isn’t confidential it is useful in conducting identity theft and wire fraud.

Image Source: ZDNet

Although the device is now well-protected but still it is important to identify who else has accessed the public database. We are not yet sure if anyone else other than MacKeeper security team was able to access these files or not. It is about time that institutions like the USAF made their system fool proof and advanced enough to protect the sensitive information of their personnel.

Source: MacKeeper | Coverage: ZDNet | Image Credit: Flick/Beverly

DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Related Posts