The Department of Defense sent a data breach notification letter to thousands of current and former employees alerting that their personal information had been leaked, DefenseScoop reported on Tuesday. While the department first detected the incident in early 2023, the notifications didn’t begin to go out until earlier this month. More than 20,000 individuals appear to be affected by the breach.
The letter explains that emails messages were “inadvertently exposed to the internet” by a Defense Department “service provider.” The emails contained personally identifiable information. While the agency doesn’t clarify what type of information, PII generally ranges from information like social security numbers, home address or other sensitive details. “While there is no evidence to suggest that your PII was misused, the department is notifying those individuals whose PII may have been breached as a result of this unfortunate situation,” the letter says. It urges affected parties to sign up for identity theft protection.
According to TechCrunch, the breach stems from an unsecured cloud email server that leaked sensitive emails onto the web. The Microsoft server, which was likely misconfigured, could be accessed from the internet without so much as a password.
“As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure,” the Department of Defense said in a statement. “DOD continues to engage with the service provider on improving cyber event prevention and detection. Notification to affected individuals is ongoing.”
This story originally appeared on Engadget