The Department of Defense sent a data breach notification letter to thousands of current and former employees alerting them that their personal information had been disclosed. DefenseScoop reported Tuesday. Although the department first detected the incident in early 2023, notifications only started being sent out earlier this month. More than 20,000 people appear to be affected by this violation.
The letter explains that the email messages were “inadvertently exposed to the Internet” by a Department of Defense “service provider.” The emails contained personally identifiable information. Although the agency does not specify what type of information, personal information typically ranges from information such as Social Security numbers, home address or other sensitive details. “While there is no evidence to suggest that your personal information has been misused, the department is notifying individuals whose personal information may have been breached as a result of this unfortunate situation,” the letter said. He urges affected parties to sign up for identity theft protection.
According to TechCrunch, the breach originated from an unsecured cloud email server that leaked sensitive emails across the web. The Microsoft server, which was probably misconfiguredwas accessible from the Internet without even a password.
“For security practices and operations, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the provider has resolved the issues which resulted in the exposure,” the Defense Ministry said in a statement. “DOD continues to collaborate with the service provider to improve prevention and detection of cyber events. Notification to affected individuals is ongoing.”