Air Force probes sensitive data leak
- By Sean D. Carberry
- Mar 17, 2017
The U.S. Air Force is currently investigating how and why a hard drive containing a trove of sensitive files and data was online and publicly accessible to anyone with an internet connection.
According to MacKeeper Security Research Center, the unsecured drive was discovered during a regular security audit of connected devices using the Shodan.io search engine. The drive allegedly belongs to an Air Force officer "who didn't realize that it was not secured," MacKeeper wrote in a release detailing its discovery of the drive.
MacKeeper said the drive contained "backup data" with files that included names and social security numbers of hundreds of service members – including high-ranking officers -- as well as a document listing details of open investigations into service members for allegations of sexual harassment, discrimination and other claims.
"One example is an investigation into a major general who is accused of accepting $50,000 a year from a sports commission that was supposedly funneled into the National Guard," said MacKeeper. "There were many other details from investigations that neither the Air Force or those being investigated would want publically leaked."
According to MacKeeper, the drive also contained a file with "Defense Information Systems instructions for encryption key recovery."
"This is a comprehensive step by step guide of how to regain access to an encryption key and all of the urls where someone can request information regarding a Common Access Card and Public Key Infrastructure," wrote MacKeeper.
The organization said the drive contained the owner's Joint Personnel Adjudication System account information that included the login, user ID and password, which would allow anyone access to the system containing personnel security investigation data.
"The database also included a copy of the North Atlantic Treaty Organization Information Security Training Manual and many other documents that may or may not be publically available," said MacKeeper.
Upon discovering the drive, MacKeeper informed the Air Force and the drive was taken offline. MacKeeper said it could not determine if anyone other than the MacKeeper research team had accessed the drive and its contents.
The story of the MacKeeper discovery was first reported by ZDNet.
"There was a span of several hours between notification and shutdown," MacKeeper researcher Bob Diachenko told FCW. "I'm interpreting that to mean there was some difficulty in locating the physical device or figuring out what firewall rules were allowing it to communicate publicly."
Diachenko said the device was "part of DOD/USAF network infrastructure, but apparently by some configuration mistake it was put outside the firewall and became visible."
He said his team was not able to communicate directly with the owner of the drive, but they are cooperating with the USAF as they continue to investigate the incident.
"We are aware of the media reports and given the nature, take them extremely seriously," Air Force spokesman Zachary Anderson told FCW. "We continue to investigate the matter."
House Armed Services chairman Mac Thornberry (R-Texas) grimaced when FCW asked on March 16 if he was aware of the incident.
"I don't know about it," he said with a sigh. "Yes, I will look into it."
Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.
Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.