MacKeeper researchers recently discovered that sensitive U.S. Air Force Data was being made available online by a misconfigured backup device. The data appears to have belonged to an Air Force lieutenant who didn’t realize it wasn’t secured.
The exposed data included the names, ranks and Social Security numbers of several hundred service members, as well as Defense Information Systems instructions for recovering encryption keys, and the login URL, user ID and password for the lieutenant’s Joint Personnel Adjudication System (JPAS) account.
It also included a spreadsheet of open investigations, listing the names, ranks, locations, and detailed descriptions of the accusations, including sexual harassment, discrimination and other claims.
“One example is an investigation into a Major General who is accused of accepting $50,000 a year from a sports commission that was supposedly funneled into the National Guard,” the researchers report. “There were many other details from investigations that neither the Air Force or those being investigated would want publically leaked.”
According to ZDNet, the data also included two four-star generals’ completed applications for national security clearances, containing enough sensitive information that security experts described them as a “holy grail” for foreign adversaries.
Seclore CEO Vishal Gupta told eSecurity Planet by email that the breach serves as a reminder that cloud backups can present a huge security risk if not managed properly. “By failing to use the most basic security measure, a password, the U.S. Air Force left all the information necessary to carry out a targeted cyber extortion campaign free for the taking,” he said. “And it remains unclear whether the data was misused – which is likely to remain the case due to the lack of information tracking and auditing capabilities.”
“Government IT teams must put foolproof measures in place that ensure that regardless of who is acting on or storing sensitive documents, adequate security precautions remain in place,” Gupta added. “Until then, you can bet this won’t be the last time military personnel unwittingly jeopardize information security.”
A recent Clutch survey of 1,001 U.S. respondents found that over 30 percent of respondents who were using at least one popular cloud-based application thought they weren’t using the cloud at all.
And while 55 percent of respondents claimed to be very or somewhat confident in their cloud knowledge, 22 percent of those who considered themselves very confident in their cloud knowledge didn’t know or were unsure about whether they use the cloud.
Fifty-two percent of those who use the cloud actively take additional steps (like two-factor authentication or additional encryption) to secure that data — but 37 percent do not.
“The cloud is not going anywhere,” Cryptzone technical director Chris Steffen said in a statement. “If anything, it’s going to be become more and more an integral part of the stuff that we do every single day, whether we know that we’re using it or not.”