Microsoft and Pentagon investigating leaked, sensitive military emails

The Dept. of Defense secured the server on Monday

The Dept. of Defense and Microsoft are investigating an unsecured server that exposed emails and data from the U.S. Special Operations Command (USSOCOM) containing sensitive but unclassified information.

The server, which was part of a mailbox system hosted on the Microsoft Azure Government Cloud, was misconfigured in a way that allowed anyone to access it through a web browser without a password as long they knew the server’s IP address. A "white hat" security researcher informed TechCrunch of the vulnerability so that the outlet could alert the government, which secured the server on Monday.

While no classified emails were exposed in the breach, about three terabytes of data from the server were exposed, including emails dating back several years containing conversations between officials and sensitive personnel documents. 


The Pentagon is the headquarters of the U.S. military

US Pentagon in Washington DC building looking down aerial view from above (iStock)

At least one of the exposed files reviewed by TechCrunch included a completed SF-86 questionnaire, which is a document government employees fill out when they’re pursuing a security clearance and includes sensitive information like a Social Security number and personal health information. 

The 136-page SF-86 form often contains information about family members, foreign contacts, and psychological information, in addition to information about the applicant’s work history and past living arrangements.


Signage outside the Microsoft campus

The breach involved a server for the government's Microsoft Azure cloud storage service. (David Paul Morris/Bloomberg via Getty Images / Getty Images)

Personnel files like the SF-86 have proven to be attractive targets for adversarial governments, as demonstrated in 2014 and 2015 when state-sponsored hackers who were suspected of acting on behalf of the Chinese government breached the Office of Management and Budget (OMB). 

The OMB hack proved to be one of the largest breaches involving government data in U.S. history and included the theft of background check information, personal records including financial data, and even more than 5 million fingerprints.


Microsoft referred FOX Business to the Dept. of Defense (DOD) regarding the matter. A spokesperson for U.S. Cyber Command provided the following statement: "As a matter of practice and operational security, we do not comment on the status of our networks and systems. Our defensive cyber operators proactively scan and mitigate the networks they manage. Should any incidents be discovered during these regular operations, we fully mitigate, protect, and defend our networks and systems. Any information or insight is shared with relevant agencies and partners if appropriate."

U.S. Navy Commander Jessica McNulty, a DOD spokesperson, told FOX Business that the Pentagon is "aware of the potential exposure of DoD unclassified, commercially cloud-hosted data to the Internet over the past two weeks. The affected server was identified and removed from public access on February 20." 

McNulty added: "U.S. Cyber Command and Joint Force Headquarters-Department of Defense Information Network continue to work with affected DoD entities and the Cloud Service Provider to assess the scope and impact of this potential data exposure. The DoD Chief Information Officer in coordination with JFHQ-DODIN is working with the CSP to understand the root cause of the exposure and why this problem was not detected sooner. DOD CIO will direct changes in CSP security measures as required based on any findings and recommendations. We will notify any DoD personnel affected by the incident appropriately and following Federal Law and DoD Policy. DoD takes this matter very seriously and will incorporate all lessons learned from this event to strengthen its cybersecurity posture."

This article has been updated to include comment from Cyber Command and the Dept. of Defense.