Pentagon, Microsoft probing leak of military e-mails

WASHINGTON – The US Defence Department and Microsoft are investigating an error that exposed at least a terabyte of military e-mails, including personal information and conversations between officials, people familiar with the matter said, in an episode that highlights the security risk of moving sensitive Pentagon data to the cloud.

The Pentagon’s Cyber Command has taken the lead on the investigation with Microsoft, which operates the Azure cloud-computing service that stored the data.

Information on a US Special Operations Command server was accessible without a password, said the people, who asked not to be identified discussing information that has not been publicly released.

Investigators have found no sign yet that the exposed data was accessed, but are still working to assess the fallout from the leak, the people said.

A US Cyber Command spokesman declined to comment, but said defensive cyber operators scan and mitigate the networks they manage.

The Defence Department is in the early stages of assessing the reports of exposed e-mails, and “we just don’t comment on the security of our systems”, Ms Sabrina Singh, a department spokesman, told reporters at the Pentagon.

The e-mails contained conversations between Pentagon officials as well as completed SF-86 forms, which government employees are required to fill out to obtain security clearances, according to screenshots of the e-mails shared by independent security researcher Anurag Sen, who discovered the leak.

The incident was reported earlier on Tuesday by TechCrunch.

The exposure may have resulted from a configuration error with Microsoft’s server that left it publicly accessible, two of the people said. T

hey had differing assessments on who was at fault, with one saying it was the fault of a Pentagon employee and another saying Microsoft was to blame.

The leak will draw new scrutiny to the Pentagon’s push to move much of its data over to commercial cloud-computing.

On Feb 15, the Pentagon Inspector-General issued a report saying agency staff “may be unaware of vulnerabilities and cybersecurity risks” linked to storing data in the cloud.

The leak may also complicate Microsoft’s bids for future government contracts.

Microsoft is one of four companies, along with Alphabet, Oracle and Amazon.com, that the Pentagon selected to compete for orders under a potential US$9 billion (S$12 billion) cloud computing contract.

Microsoft initially won an earlier contract worth US$10 billion, but that was cancelled after a legal challenge from Amazon.

Microsoft was dealt a blow in January after Congress rejected the Army’s request for US$400 million to buy as many as 6,900 of Microsoft’s combat goggles, which were found to cause headaches, eye strain and nausea. BLOOMBERG