Pentagon leadership is responding to adjustments made by Microsoft to security protocols following a data breach early last year that compromised the sensitive personal information of more than 20,000 people, said John Sherman, the department's chief information officer. He says he is satisfied.
In an interview last week on the sidelines of the annual GEOINT Symposium, the CIO revealed new details about his team and technology vendor's ongoing response to a large but still publicly obscure data breach incident. did.
“Microsoft would like to emphasize that it has determined what happened in that case and conducted a thorough follow-up investigation to ensure it never happens again,” he told DefenseScoop. He added that he could not explain in detail what he had done.
Mr. Sherman's response broadly focused on the scope of the incident and Microsoft's immediate response to the data breach that affected thousands of current and former Department of Defense employees, job applicants, and partners in February 2023. It suggests that there is still much to be revealed about this, but most were not warned about it until a year later.
“We cannot confirm which Pentagon components were affected,” he said in an interview.
As DefenseScoop first reported when this security incident first came to light, a large number of emails containing personally identifiable information (PII) were accidentally published and remained online for just over two weeks via a commercial server. You can now access it.
Sherman and other senior officials have not identified the Pentagon organizations whose emails and other records were exposed in the breach, but independent security researchers have confirmed that data that resided on Microsoft servers is now online. A screenshot shared with DefenseScoop when published shows sensitive information related to: U.S. Special Operations Command personnel.
The document includes multiple military personnel's names, spouse's names and addresses, and includes, but is not limited to, religious preferences, church attendance, pets, overall deployment history, etc. Various other personal information was also detailed.
“What I want to tell you is that we worked very closely with Microsoft on this matter to confirm what happened. They have been very candid about what happened and We have adjusted our procedures to ensure this never happens again in terms of personally identifiable information or PII that was compromised,” Sherman told DefenseScoop.
“So this is not us raking them over coal, we had a very frank discussion at my level to protect our service members and civilians. But the affected organizations within the Department of Defense “You can't look into it,” he added.
Sherman would like to “congratulate” David McCune, the Pentagon's deputy chief information officer for cybersecurity, and his team for working closely with affected military departments and Microsoft to respond to the incident. Stated.
In September 2023, the Department entered into an agreement focused on identity protection services with a vendor to notify and support all individuals whose data was exposed in a security breach.
Sherman could not immediately confirm whether all parties involved had been previously notified of the exposure.
He also did not provide detailed information on what was believed to be the original cause of the data breach, but broadly cited “cyber hygiene and configuration management.”
“I won't go into a lot of details. This is kind of, in my words, [about] Appropriately manage and comply with the procedures herein. And again, Microsoft, the vendor, has been very transparent about this. Like any company that's been through something, we've been upfront about what needs to be fixed. [The DOD’s zero-trust concept] This is what it's about. But part of this is that when we say we need to do A, B, C, and D, we have to do those things. And you should double check that all barn doors are closed and that they should be closed. ” Sherman said in an interview.
A Microsoft spokesperson declined to comment Tuesday.
Microsoft joins four major U.S. technology companies competing for separate mission orders to ultimately deliver enterprise cloud capabilities envisioned by the Department of Defense to support critical data workloads that will enable future military operations. This is one of the companies.