/ SECURITY WATCH

US Air Force Leaks Sensitive Data

Popular articles

12 / 03 / 2017

MacKeeper Security Researchers Discover Sensitive United States Air Force Data

MacKeeper Security Researchers Discovered a misconfigured device that was publically available and contained sensitive data relating to the US Air Force. The device contained backup data and appears to belong to a Lieutenant who didn’t realize that it was not secured.

Researchers discovered a trove of sensitive documents that included a Personnel by Eligibility and Access Reports that contained the names, rank, social security numbers of several hundred service members. At the bottom of each page is a notice that reads:

“Under the Privacy Act of 1974, you must safeguard personnel information retrieved through this system. Disclosure of information is governed by Title 5, United”

The most shocking document was a spread sheet of open investigations that included the name, rank, location, and a detailed description of the accusations. The investigations range from discrimination and sexual harassment to more serious claims. One example is an investigation into a Major General who is accused of accepting $50k a year from a sports commission that was supposedly funneled into the National Guard. There were many other details from investigations that neither the Air Force or those being investigated would want publically leaked.   

There is a file that contains Defense Information Systems instructions for encryption key recovery. This is a comprehensive step by step guide of how to regain access to an encryption key and all of the urls where someone can request information regarding a Common Access Card (CAC) and Public Key Infrastructure (PKI). The possible danger of leaking the email addresses and personal information of senior military officials is that through social engineering and other methods, bad actors could potentially gain access.

Among the sensitive documents were a scanned image of the Lieutenant’s JPAS account (Joint Personnel Adjudication System) from the Department of Defence. This included the login url, user ID and Password to access the system. JPAS accounts are only provisioned for authorized individuals and we can assume there would be classified information to anyone who would access the account . The database also included a copy of the North Atlantic Treaty Organization (NATO) Information Security Training Manual and many other documents that may or may not be publically available.  


The device has since been taken offline and it is unclear if anyone other than members of the MacKeeper Research Team had access to the files or how long they were available.

Please see more details on the story in Zack's feature at ZDnet: http://www.zdnet.com/article/leaked-us-military-files-exposed/

For more information or media requests please contact security@kromtech.com