DOD notifying people who may be impacted by a year-old data breach
The Pentagon is in the process of alerting an undisclosed number of current and former employees, job applicants and partners that their sensitive personal information may have been exposed online in a “data breach incident” that was first detected in early 2023.
DefenseScoop viewed a notice — dated Feb. 1, 2024 and sent by the Defense Intelligence Agency to a longtime Defense Department official — encouraging them to sign up for government-provided identity theft protection services as a result of the exposure.
“This letter is to notify you of a data breach incident that may have resulted in a breach of your personally identifiable information (PII). During the period of February 3, 2023 through February 20, 2023, numerous email messages were inadvertently exposed to the Internet by a [DOD] service provider. Unfortunately, some of these email messages contained PII associated with individuals employed by or supporting the DOD, or individuals seeking employment with the DOD. While there is no evidence to suggest that your PII was misused, the department is notifying those individuals whose PII may have been breached as a result of this unfortunate situation,” the document states.
Broadly, PII refers to any data that can be used to distinguish or trace someone’s identity — like addresses, Social Security numbers, credit card info and biometric records.
In response to questions, DIA referred DefenseScoop to a Pentagon spokesperson, who subsequently did not disclose approximately how many people may have been impacted in this incident, or which service provider was involved.
“As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure,” the spokesperson said.
They also did not specify when the department first started informing people that their data may have been exposed more than a year ago.
“DOD continues to engage with the service provider on improving cyber event prevention and detection. Notification to affected individuals is ongoing,” the spokesperson told DefenseScoop.
In the letter mailed to possible victims of the exposure, the DIA also noted that in the aftermath of the event, the department has worked with the service provider to understand what happened and mitigate future risks — including by modifying procedures and putting additional capabilities for anomaly detection and alerts into place.
“This incident involved multiple department organizations. Each organization reviewed the affected information to determine whether their personal data was part of the exposure. Following this analysis, a small portion of data from multiple organizations required a secondary review for validation of identities of affected individuals and contact information. This overall assessment process took several months. DOD obtained an Identity Protection Services contract for the affected individuals of these organizations. The contract was awarded in September 2023 and each affected organization has been working actively with the contractor to notify the affected individuals,” a Pentagon spokesperson told DefenseScoop.