The US military has been hit with a massive data leak which freely exposed thousands of classified documents from the US Air Force to anyone on the internet. The leak reportedly contains sensitive and personal information on high-ranking and senior officials, some of whom have "top secret" security clearance and access to highly sensitive material, which is only allegedly made available via codeword-level clearance.
Personal information of over 4,000 officers, including names, ranks, addresses and social security numbers were left exposed by the leak. An unsecured backup drive which belonged to an unnamed lieutenant colonel was the cause of the leak, according to MacKeeper security researchers, who first discovered the security breach.
The researchers noted: "The most shocking document was a spread sheet of open investigations that included the name, rank, location, and a detailed description of the accusations. The investigations range from discrimination and sexual harassment to more serious claims. One example is an investigation into a Major General who is accused of accepting $50k a year from a sports commission that was supposedly funnelled into the National Guard. There were many other details from investigations that neither the Air Force nor those being investigated would want publically leaked."
Among the leaked documents is a file which includes a Defence Information Systems "comprehensive step by step guide" on how to go about recover access to encryption keys. Yet another file lists security clearances of hundreds of officers. The leaked data also contains spreadsheets detailing phone numbers and other contact information of staff and their spouses.
National security experts and former government officials have reportedly deemed the data leaked as the "holy grail" for spies and rivals, warning that the data should not be made public.
"Foreign powers might use that information to target those individuals for espionage or to otherwise monitor their activity in the hopes of gaining insight into US national security posture," Susan Hennessey, a former attorney at the National Security Agency, told ZDNet.
"Still, it is the obligation of the government to keep this kind of information safe, both in order to protect the privacy of those who serve and their families and to protect them against being placed in difficult situations unnecessarily," Hennessey added.
The Pentagon is yet to comment on the matter. IBTimes UK has reached out to MackKeeper security researcher Chris Vickery, who first tweeted about the data leak on 25 February and worked with fellow MacKeeper researcher Bob Diachenko to secure the breach, for further clarity on the matter. We will update this article with more information in the event of a response.
Following the publication of this article, we heard back from MacKeeper security researcher Bob Diachenko.
Commenting on how the data was discovered, Diachenko told IBTimes UK in an email: "We conduct weekly security audits using the IOT / open port search engine called Shodan (it is similar to Google, but is a public search engine for connected devices). During the audit we identified an unprotected NAS device (Network Attached Storage) that was publicly streaming data and allowed anyone with Internet connection could have viewed and possibility even downloaded it."
He said the Air Force was notified of the breach via a contact of his fellow security researcher Chris Vickery and that the Air Force was grateful for the heads up. He added: "There was a span of several hours between the time of the notification and when the device was taken offline or shutdown. We assume this means there was some type of difficulty in locating the physical device or figuring out what firewall rules or configurations were allowing it to communicate publicly."
He added: "It is hard to tell how many other devices remain open and accessible. However, our discovery will most likely affect major changes in the way the Military lets officers store data on NAS devices."