A unsecured backup drive has exposed thousands of US Air Force documents, including highly sensitive personnel files on senior and high-ranking officers.
Security researchers found that the gigabytes of files were accessible to anyone because the internet-connected backup drive was not password protected.
The files contained a range of personal information, such as names and addresses, ranks, and Social Security numbers of more than 4,000 officers. Another file lists the security clearance levels of hundreds of other officers, some of whom possess "top secret" clearance, and access to sensitive compartmented information and codeword-level clearance. Phone numbers and contact information of staff and their spouses, as well as other sensitive and private personal information, were found in several other spreadsheets.
The drive is understood to belong to a lieutenant colonel, whose name we are not publishing. Experts reached out to the officer by email but did not hear back. The data was secured last week after a notification by MacKeeper security researcher Bob Diachenko. Among the most damaging documents on the drive included the completed applications for renewed national security clearances for two US four-star generals, both of whom recently had top US military and NATO positions.
Both of these so-called SF86 applications contain highly sensitive and detailed information, including financial and mental health history, past convictions, relationships with foreign nationals, and other personal information. These completed questionnaires are used to determine a candidate's eligibility to receive classified material.
Several national security experts and former government officials we spoke to for this story described this information as the "holy grail" for foreign adversaries and spies, and said that it should not be made public. For that reason, we are not publishing the names of the generals, who have since retired from service. Nevertheless, numerous attempts to contact the generals over the past week went unreturned.
"Some of the questions ask for information that can be very personal, as well as embarrassing," said Mark Zaid, a national security attorney, in an email. The form allows prospective applicants to national security positions to disclose arrests, drug and alcohol issues, or mental health concerns, among other things, said Zaid.
Completed SF86 forms aren't classified but are closely guarded. These were the same kinds of documents that were stolen in a massive theft of sensitive files at the Office of Personnel Management, affecting more than 22 million government and military employees. "Even if the SF86 answers are innocuous, because of the personal information within the form there is always the risk of identity theft or financial fraud that could harm the individual and potentially compromise them," said Zaid.
One spreadsheet contained a list of officers under investigation by the military, including allegations of abuses of power and substantiated claims of wrongdoing, such as wrongfully disclosing classified information. A former government official, who reviewed a portion of the documents but did not want to be named, said that the document, in the wrong hands, provided a "blueprint" for blackmail.
Even officers who have left in recent years may still be vulnerable to coercion if they are still trusted with historical state secrets. "Foreign powers might use that information to target those individuals for espionage or to otherwise monitor their activity in the hopes of gaining insight into US national security posture," said Susan Hennessey, a Brookings fellow and a former attorney at the National Security Agency.
Government officials use the form as a screening mechanism, said Hennessey, but it also offers applicants the chance to inform the government of past indiscretions or concerns that eliminate the possibility of blackmail in the future, she added. "These are people whose lives can depend on sensitive information being safeguarded, so the notion they would fail to put country over self in that kind of circumstance is far-fetched and supported by relatively few historical examples," she said.
"Still, it is the obligation of the government to keep this kind of information safe, both in order to protect the privacy of those who serve and their families and to protect them against being placed in difficult situations unnecessarily," said Hennessey. Though many of the files were considered "confidential" or "sensitive," a deeper keyword-based search of the files did not reveal any material marked as classified.
A completed passport application for one of the generals was also found in the same folder, as well as scans of his own and his wife's passports and driving licenses. Other data included financial disclosures, bank account and routing information, and some limited medical information.
Another document purported to show the lieutenant colonel's username and password for a sensitive internal Dept. of Defense system, used to check staff security clearances. Another document listed the clearance levels of one of the generals. And, a smaller spreadsheet contained a list of Social Security numbers, passport numbers, and other contact information on high-profile figures and celebrities, including Channing Tatum.
The records were collected in relation to a six-day tour to Afghanistan by Tatum in 2015. An email to Tatum's publicist went unreturned. The drive also contained several gigabytes of Outlook email files, covering years worth of emails. Another document purported to be a backup. Nevertheless, this would be the second breach of military data in recent months.
Potomac, a Dept. of Defense subcontractor, was the source of a large data exposure of military personnel files of physical and mental health support staff. Many of the victims involved in the data leak are part of the US Special Operations Command (SOCOM), which includes those both formerly employed by US military branches, such as the Army, Navy, and Air Force, and those presumably still on active deployment.
It's not known how long the backup drive was active. Given that the device was public and searchable, it's not known if anyone other than the security researchers accessed the files. The Office of Personnel Management, which processes security clearance applications, referred comment to the Pentagon. A Pentagon spokesperson would not comment in an email Monday.
110 Reykjavik, Iceland