Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Thousands of DoD personnel may have had their private data leaked — US government admits 20,000 could be affected

An abstract image of a cloud raining data.

A year after a cybersecurity incident, the US Department of Defense (DOD) has begun notifying affected individuals about exactly what happened.

In February 2023, cybersecurity researcher Anurag Sen discovered a US government email server that sat without a proper password to protect its content - essentially, leaking sensitive information to anyone who knew where to look. 

The exposed email server was hosted on Microsoft’s Azure government cloud for the Department of Defense, allowing it to share sensitive, but still unclassified data. This service offers servers that are physically disconnected from commercial customers, and was part of an internal mailbox system that held some 3TB of internal military emails, some of which referred to U.S. Special Operations Command (USSOCOM), a military unit running special operations.

Consequences yet to be determined

The database was secured a day after the news broke, but now, almost exactly a year later, the DOD started mailing affected individuals, notifying them of the incident. 

As per TechCrunch, the breach notification letter was sent out on February 1 to roughly 20,600 individuals. It said that “numerous email messages were inadvertently exposed to the Internet by a service provider,” between February 3 and February 20, 2023.

“As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure. DOD continues to engage with the service provider on improving cyber event prevention and detection. Notification to affected individuals is ongoing,” said DOD spokesperson Cdr. Tim Gorman in an email to TechCrunch.

While we now know how many people were affected by the breach, we still don’t know if any threat actors found the database before Sen did.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.