Yet Another Backup Drive Exposed To The Internet
Earlier this month I wrote about Stewart International Airport in New York leaving a backup drive exposed to the Internet without a password or encryption, exposing extremely sensitive information (see post here).
Now it has been revealed that an unnamed DoD officer, possibly a Lt. Colonel, had a backup drive with thousands of sensitive documents exposed to the Internet and unprotected.
The source article says that this would have been solved if the backup drive was protected by a password. THIS IS NOT CORRECT. I seem to recall that the DNC emails were protected by passwords. That didn’t seem to help them.
In reality, that drive should not be accessible to the Internet, password or not. That is just too big a risk. Maybe, if the backups were encrypted prior to being placed on the drive and the encryption key is both strong and stored offline, you would probably be OK, but why risk it? In this case, none of that is true.
So what was on the disk drive?
- Personal information of over 4,000 officers including names, addresses, socials and rank.
- A list of hundreds of officers who had top secret, SCI and Codeword clearances.
- Contact information for staff and spouses.
- Completed SF86 security questionnaires for two four-star generals. This is the same type of information stolen from the Office of Management and Budget a few years ago.
- A list of officers under investigation by the military.
- Financial information including banking information.
- A spreadsheet containing passport and contact information for high profile celebrities.
- Gigabytes of email.
- And other sensitive files
This is the second time in recent months that the Defense Department suffered a large data breach and the second time a backup drive was known to be exposed in recent weeks.
How long this drive was exposed is unknown. Since this was a personal backup drive, it is unlikely that there are any log files at all.
Consider this – how confident are you that the information that you are entrusted with is really being protected? Trust – but verify.
My two cents.
Information for this post came from ZDNet.