The Pentagon is notifying individuals affected by 2023 email data breach

Supatman/Getty Images

The exposed contents were not secured with a password at the time of their compromise.

The Defense Department is notifying some 26,000 individuals who were impacted by a data breach that was linked to a now secured server whose contents were released online last year, a spokesperson confirmed to Nextgov/FCW.

The Pentagon’s Defense Intelligence Agency on Feb. 1 issued a notice to those affected — including current and former employees — urging them to enroll in identity theft protection services that resulted from the leaked cache uncovered by a security researcher last February.

DefenseScoop first reported on the contents of the recent breach notification document.

“This letter is to notify you of a data breach incident that may have resulted in a breach of your personally identifiable information (PII). During the period of February 3, 2023 through February 20, 2023, numerous email messages were inadvertently exposed to the Internet by a [DOD] service provider,” the reported readout said. 

It adds: “Unfortunately, some of these email messages contained PII associated with individuals employed by or supporting the DOD, or individuals seeking employment with the DOD. While there is no evidence to suggest that your PII was misused, the department is notifying those individuals whose PII may have been breached as a result of this unfortunate situation.”

The Pentagon declined to elaborate on the specifics of the document, citing operational security.

“The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure,” spokesperson Timothy Gorrman said in a statement. “DOD continues to engage with the service provider on improving cyber event prevention and detection. Notification to affected individuals is ongoing.”

At the time, the exposed email contents, which included exchanges pertaining to U.S. Special Operations Command, were not secured with a password. Multiple departmental organizations were affected, and over 20,600 individuals were impacted by the incident, DefenseScoop reported, citing the missive sent to potential affected victims.

Government employee data breaches continue to linger and have created headaches for federal agencies. A vulnerability in the Atlassian Confluence suite tool that’s widely used throughout the federal government for IT and other employee-facing support services was responsible for a Government Accountability Office breach reported Tuesday.

Additionally, last year, the Department of Transportation confirmed a data breach that affected some 237,000 current and former employees and contained data on the agency’s benefit system that reimbursed workers for commuting costs.