US Air Force Suffers Massive Data Breach

Updated on April 19, 2018 by UpGuard

Leading security researchers have confirmed that the U.S. Air Force (USAF) suffered a massive data breach leading to the exposure of sensitive military data and senior staff information. Here's what you need to know about this latest security failure involving the U.S. government.

Background

On February 25th, 2017, security researcher Bob Diachenko announced via Twitter that the USAF had suffered a major data breach leading to the exposure of "tons" of classified/sensitive records. Working alongside him was renowned security researcher Chris Vickery, who would later confirm the data breach.  

Following Diachenko's tweet, Vickery also verified the security incident and remediation efforts in effect.

Vickery is credited with discovering last year's U.S. voter data breach exposing of 154 million voter registration records, as well as the Mexican voter database breach that resulted in 93.4 million records leaked online. Diachenko is no stranger to high profile data breaches, either: several weeks ago he was tapped to investigate a data breach involving national printing chain PIP Printing, an incident that left thousands of sensitive documents exposed: NFL player labor filings, lawsuits against Hollywood studios, immigration paperwork, and more.

Of course, this pales in comparison to the USAF data breach that, like the OPM data breachinvolves classified U.S. intelligence and matters of national security. Vickery later declared that the compromised data had been "secured."

The USAF has yet to release a statement regarding the data breach—more details to follow.

Who/What's Affected

Though the USAF has yet to release a statement or comment about the data breach, Diachenko's announcement on Twitter reveals that private information involving senior staff, miltary data containing personally identifiable information (PII), and documents designated for Official Use Only (FOUO) were compromised. PII data is defined as any type of data that could be used to ascertain the identity of specific individuals. Documents designated as FOUO are exempt from release under the Freedom of Information Act and are treated as confidential, not for the eyes of the general public.

How Cyber Resilient is the U.S. Air Force?

The USAF operates a myriad of online entities, including websites for the USAF Academy, USAF ROTC, USAF Thunderbirds, and the Air Force Live Blog, among others. Our CSTAR analysis focuses on the USAF's two primary websites: the official af.mil web presence and the Airforce.com marketing and recruiting website.

CSTAR - US Air Force

Af.mil scores an alarmingly low 373 CSTAR rating due to several critical security flaws including lack of sitewide SSL, server information leakage, and missing SPF/DNSSEC.

CSTAR - US Air Force 2

Airforce.com scores an excellent 846 CSTAR rating, despite suffering from a handful of website perimeter security flaws, namely server information leakage and disabled DNSSEC. Such sites are not the full extent of Air Force internet presence, however; third-party vendor risk, constituted by private-sector partners of the military potentially leaking data online, is another threat vector.

Don't let undue cyber risk exposure escalate into data breaches and outages. Find out today how the world's leading enterprises are using UpGuard's cyber resilience platform to bolster their digital defenses and cyber resilience postures.