The US Marine Corps Force Reserve has suffered a major data leak this week that saw the personal and sensitive information of thousands of Marines, sailors and civilians accidentally exposed in an unencrypted email. On Monday (26 February), the Defense Department's Defense Travel System (DTS) sent an email with an attachment that contained highly sensitive and personal information to the wrong email distribution list, Marine Corps Times reported.
DTS is a travel management system used by the Defense Department for managing official authorised trips, travel itineraries and travel expenses.
The attached roster listed the personal and financial details of about 21,426 people including truncated Social Security numbers, credit card information, bank routing numbers, electronic funds transfer details, residential and mailing addresses, as well as emergency contact information.
The email was inadvertently sent to accounts hosted within the official, unclassified "usmc.mil" Marine domain as well as civilian accounts as well. It is not immediately clear how many people mistakenly received the email.
"It was very quickly noticed and email recall procedures were implemented to reduce the number of accounts that received it," Major Andrew Aranda, spokesman for Marine Forces Reserve, said in a release. "The Marine Corps takes the protection of individual Marines' private information and personal data very seriously, and we have steps in place to prevent the accidental or intentional release of such information."
Aranda said he believes there was "no malicious intent" involved in the incident.
The Marine Corps said it is currently investigating the extent of the breach and plans to implement changes to better safeguard personal data and avoid any similar incidents in the future. It is also working to notify those affected by the breach and offer guidance on mitigating the risk of fraud and identity theft.
This isn't the first time US federal government has suffered a major data breach affecting military and defense personnel in recent years.
In 2015, the Office of Personnel Management revealed it suffered two separate but related data breaches that exposed the sensitive information of at least 22.1 million people, including current and former federal employees, contractors, their families and friends.
Deemed one of the most damaging cyber heists in US government history, officials said 21.5 million of those affected were included in an OPM repository of security clearance files.
Since then, the federal government launched several initiatives to bolster its cybersecurity practices, controls and procedures. According to a 2017 audit by Government Accountability Office (GAO), the OPM has implemented 11 recommendations made by the Department of Homeland Security. Four still require "further improvements" while the remaining four are still "in progress."
In January, the US Department of Homeland Security said it suffered a breach exposing the sensitive, personally identifiable information of more than 240,000 former and current employees. The details of subjects, witnesses, and complainants associated with DHS OIG investigations from 2002 through 2014 were also compromised.