Pentagon, Microsoft investigating leak of military emails
WASHINGTON — The Defense Department and Microsoft Corp. are investigating an error that exposed at least a terabyte of military emails including personal information and conversations between officials, people familiar with the matter said, an episode that highlighted the security risk of moving sensitive Pentagon data to the cloud.
The Pentagon’s Cyber Command has taken the lead on the investigation with Microsoft, which operates the Azure cloud-computing service that stored the data. Information on a U.S. Special Operations Command server was accessible without a password, said the people, who asked not to be identified discussing information that hasn’t been publicly released.
Investigators have no sign yet that the exposed data was accessed but were still working to assess the fallout from the leak, the people said. A US Cyber Command spokesperson declined to comment but said defensive cyber operators scan and mitigate the networks they manage. The emails contained conversations between Pentagon officials as well as completed SF-86 forms, which government employees are required to fill out to obtain security clearances, according to screenshots of the emails shared by Anurag Sen, an independent security researcher who discovered the leak. The incident was first reported Tuesday by TechCrunch.
The exposure may have resulted from a configuration error with Microsoft’s server that left it publicly accessible, two of the people said. They had differing assessments on who was at fault, with one saying it was the fault of a Pentagon employee and another saying Microsoft was to blame.
The leak will draw new scrutiny to the Pentagon’s push to move much of its data over to commercial cloud-computing. On Feb. 15, the Pentagon inspector general issued a report saying agency staff “may be unaware of vulnerabilities and cybersecurity risks” linked to storing data in the cloud.
The leak may also complicate Microsoft’s bids for future government contracts. Microsoft is one of four companies, along with Alphabet Inc., Oracle Corp., and Amazon.com Inc., that the Pentagon selected to compete for orders under a potential $9 billion cloud-computing contract. Microsoft initially won an earlier contract worth $10 billion but that was canceled after a legal challenge from Amazon. Micorsoft was dealt a blow last month after Congress rejected the Army’s request for $400 million to buy as many as 6,900 of Microsoft’s combat goggles, which were found to cause headaches, eyestrain and nausea.