Updated on April 19, 2018 by UpGuard
Leading security researchers have confirmed that the U.S. Air Force (USAF) suffered a massive data breach leading to the exposure of sensitive military data and senior staff information. Here's what you need to know about this latest security failure involving the U.S. government.
On February 25th, 2017, security researcher Bob Diachenko announced via Twitter that the USAF had suffered a major data breach leading to the exposure of "tons" of classified/sensitive records. Working alongside him was renowned security researcher Chris Vickery, who would later confirm the data breach.
Following Diachenko's tweet, Vickery also verified the security incident and remediation efforts in effect.
Have verified. It's legit and we have been in touch with military contacts to secure. https://t.co/bhz8HhYnYr— Chris Vickery (@VickerySec) February 25, 2017
Vickery is credited with discovering last year's U.S. voter data breach exposing of 154 million voter registration records, as well as the Mexican voter database breach that resulted in 93.4 million records leaked online. Diachenko is no stranger to high profile data breaches, either: several weeks ago he was tapped to investigate a data breach involving national printing chain PIP Printing, an incident that left thousands of sensitive documents exposed: NFL player labor filings, lawsuits against Hollywood studios, immigration paperwork, and more.
Of course, this pales in comparison to the USAF data breach that, like the OPM data breach, involves classified U.S. intelligence and matters of national security. Vickery later declared that the compromised data had been "secured."
The USAF has yet to release a statement regarding the data breach—more details to follow.
Though the USAF has yet to release a statement or comment about the data breach, Diachenko's announcement on Twitter reveals that private information involving senior staff, miltary data containing personally identifiable information (PII), and documents designated for Official Use Only (FOUO) were compromised. PII data is defined as any type of data that could be used to ascertain the identity of specific individuals. Documents designated as FOUO are exempt from release under the Freedom of Information Act and are treated as confidential, not for the eyes of the general public.
How Cyber Resilient is the U.S. Air Force?
The USAF operates a myriad of online entities, including websites for the USAF Academy, USAF ROTC, USAF Thunderbirds, and the Air Force Live Blog, among others. Our CSTAR analysis focuses on the USAF's two primary websites: the official af.mil web presence and the Airforce.com marketing and recruiting website.
Af.mil scores an alarmingly low 373 CSTAR rating due to several critical security flaws including lack of sitewide SSL, server information leakage, and missing SPF/DNSSEC.
Airforce.com scores an excellent 846 CSTAR rating, despite suffering from a handful of website perimeter security flaws, namely server information leakage and disabled DNSSEC. Such sites are not the full extent of Air Force internet presence, however; third-party vendor risk, constituted by private-sector partners of the military potentially leaking data online, is another threat vector.
Don't let undue cyber risk exposure escalate into data breaches and outages. Find out today how the world's leading enterprises are using UpGuard's cyber resilience platform to bolster their digital defenses and cyber resilience postures.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.