A Pentagon subcontractor has exposed reams of highly sensitive details belonging to active military healthcare professionals online, some of which hold top-secret security clearances.
Potomac Healthcare Solutions, a subcontractor brought on board to supply healthcare professionals to the US government and military organizations through its Washington, DC.-based contractor Booz Allen Hamilton, was the source of the data leak.
Chris Vickery, lead security researcher of the MacKeeper Security Center, who found the data, told ZDNet in an email that Potomac's own insecure server was the source of the leak.
Samples of the leaked data provided by Vickery and also reviewed by ZDNet revealed that the personal data of US military personnel was open for all eyes to see, with little in the way to prevent it from being abused.
Many of the victims involved in the data leak are part of the US Special Operations Command (SOCOM), which includes those both formerly employed by US military branches, such as the Army, Navy, and Air Force, and those presumably still on active deployment.
The bulk of the data is made up of military personnel files and lists of physical and mental health support staff, including nurses, doctors, and mental health professionals.
Names, contract types, Social Security numbers, and duty start dates -- dating back to 1998 -- as well as billet numbers that detail the living quarters for when staff are not on active duty, are all included in the information leak.
Unit assignments and places of work, which include military bases and their postings worldwide, were also in the documents.
Many of those named in the leaked personnel files are linked to SOCOM's Preservation of the Force and Families (POTFF) program, a scheme that aims to ease the psychological and physical burdens often placed on military personnel and their families through unit-specific teams of healthcare professionals and counsellors.
The files include names of social workers, physical therapists, nurses and assistants, doctors, and psychologists, which alongside detail the states of their residency, pay scales, contract start and term dates, units and work locations.
The documents supplied by Vickery also revealed a "master tracking list" of POTFF personnel personal data and their security clearance levels.
Some of those possess "top secret" clearance, including access to sensitive compartmented information (TS/SCI) -- typically only granted to vetted staff who are then hired to work on sensitive special access programs.
The list also revealed the name and location of one special forces data analyst, who was awarded top-tier clearance.
The master tracking list also exposed recruitment notes on candidates. One such note described how a senior US military officer had "doubts" that an applicant would "ever be granted security clearance" in part because the applicant "only has dual citizenship due to being born to US military."
Access to that level of information would be highly sought-after by a foreign power, which could use the information to target the military member for conducting espionage.
Vickery described the incident and its potential implications in a blog post.
"It's not hard to imagine a Hollywood plotline in which a situation like this results in someone being kidnapped or blackmailed for information. Let's hope that I was the only outsider to come across this gem. Let's really hope that no hostile entities found it," he said.
"Loose backups sink ships," he added, highlighting how severe the consequences could be for military agencies.
Vickery's discovery, however, was not as the result of any complicated heist, malware infection, or attack on the researcher's part.
Rather, it was the subcontractor's own insecure server and use of "rsync," a common protocol used for synchronizing copies of files between two different computers, which weren't protected with a username or password.
Vickery said he believes the security failure could be down to a backup device of some kind which was misconfigured. He said that at least 11 gigabytes of data was exposed by the leaky system, but he added that he was not certain just how much sensitive information in total was available for the taking.
Potomac since secured the data after Vickery told it of the leak.
Despite sending numerous emails Tom Burden, co-chief executive of Potomac, the company hasn't contacted the researcher since.
The consequences of the leak could be severe -- not just for the healthcare personnel provider but the victims of information disclosure themselves.
This kind of data can be used in all manner of identity theft schemes and added to the release of security clearance levels to public eyes, staffers may have been placed at serious risk.
When reached, Burden said in an email that the company did "acknowledge" Vickery's email, adding that the company was "addressing" the incident.
Booz Allen, the contractor that brought on Potomac, told ZDNet in an email that it was "looking into" the incident. "We take any allegation of a data breach very seriously, including those from our subcontractors," said a spokesperson.
(Booz Allen, too, has seen its fair share of leaks in the not-so-distant past. NSA whistleblower Edward Snowden leaked thousands of classified files to journalists while working for the Pentagon contractor in 2013. Recently, a second employee Harold Martin was arrested and charged with espionage for stealing terabytes of data from the NSA during two decades of employment.)
Meanwhile, a spokesperson for the Dept. for Defense did not respond to a request for comment at the time of writing.
The realization that US military files have been left for all to see could make those in the forces who need help but do not want it to become public knowledge reluctant to seek assistance in the fear that the next military data breach will include their own case details.
As bad, given the job roles of individuals in the leak, it's hardly difficult to imagine the files being used as an avenue to find, contact, blackmail and coerce military healthcare professionals into giving over insider information on the US military and employees.
Today's terrorist activities and nation-state adversaries mean it's trivial for data leaks to be utilized to personally target military personnel and their families.
Potomac told ZDNet after publication:
"As a follow-up to the initial communication on this issue, Potomac Healthcare Solutions, with support from an external forensic IT firm, has completed its investigation of a security incident involving the unauthorized access of one of our internal servers. Despite earlier media reports, our review, which was immediately initiated after the initial questions were raised, has confirmed that the impacted server did not contain any classified government information or protected medical or personal data related to active duty military personnel or their families."
It continued: "However, the affected server did contain files with data of a limited number of current and former Potomac employees' personal information. While we have no evidence to suggest that any employee information has been used inappropriately, Potomac is in the process of proactively reaching out to impacted employees to provide guidance on how they can protect themselves and is offering complimentary credit monitoring and identity theft protection services to affected individuals."
Updated on January 6: with comment from Potomac.