USAF C-17
USAF C-17

A United States Air Force officer mistakenly exposed not only the personally identifiable information (PII) of many service members, but also the records of on-going criminal investigations and instructions for recovering encryption keys for military documents.

The data was discovered by MacKeeper Security located on a misconfigured storage device, since taken offline, owned by an unnamed lieutenant that was inadvertently made public on the internet.  Among the files were Personnel by Eligibility and Access reports that contained the names, rank and Social Security numbers of service members.

Even more revealing were scores of documents related to on-going criminal investigations that range from sexual harassment cases to an inquiry of a major general who allegedly accepted $50,000 a year from a sports commission that was supposedly funneled into the National Guard, MacKeeper reported. Also included was the PII of those being investigated. Further details were not available to explain the case.

“This is a serious data leak, which allows nation states to target high-value military personnel for additional attacks and surveillance. If that weren't bad enough, this highly detailed data could potentially be combined with stolen personal data from other data breaches already available on the dark web to create rich profiles of these individuals,” said Robert Capps, VP of business development for NuData Security to SC Media.

Once created these profiles could allow enemies and criminals to track the service member and also steal their identities, he added.

Other sensitive data included an image of the device owner's JPAS account (Joint Personnel Adjudication System) from the Department of Defense. This included the login URL, user ID and Password to access the system, MacKeeper said.

In addition, a file containing Defense Information Systems instructions for encryption key recovery was on the drive. This knowledge allows someone to regain access to an encryption key and all the URLs needed to request a Common Access Card and Public Key Infrastructure.

Encryption is also the key to helping ensure that these events don't happen in the future, said David Vergara, VASCO Data Security's head of global product marketing.

“Regardless of the leak point, there is a simple “silver bullet” that secures data, its encryption. Modern encryption solutions are not only widely available for all types of end-point devices they're also inexpensive,” he said.

SC Media has reached out to the USAF, but has not yet received a response.