Recap: Our Reactions to the SOCOM Data Leak & How to Move Forward

On February 21, TechCrunch reported that US Special Operations Command (SOCOM) discovered an accidental leak of internal US Military emails to the public internet. The leaked data included sensitive data like Personally Identifiable Information (PII) and security clearance details from military messages.

What does this mean, and how should we feel about it? That’s what Virtru’s CMO, Matt Howard, and Federal General Manager, Shannon Vaughn, sought to explore in the latest session of our video series, Hash It Out. You can watch the full conversation for free by selecting the button below, or continue reading for a brief recap.

What Exactly Happened in this Data Breach?

Record scratch.

So, exactly what happened with this leak, and how did we get here?

Put simply, there’s a server on Microsoft's Azure government cloud that stores sensitive but unclassified government data for the Department of Defense. It contained a slew of military emails, including three terabytes of data. Most of this data belongs to USSOCOM, which stands for U.S. Special Operations Command, a military unit in charge of carrying out special military operations.

In a settings misconfiguration, the server was left unprotected and without a password –allowing anyone with a web browser and the internet access to it, just by typing in its IP address.

On the weekend of February 17, 2023, white-hat researcher Anurag Sen discovered this vulnerability and reported it to TechCrunch to convey to the U.S. government. SOCOM patched the vulnerability by February 20 – then, TechCrunch reported the ordeal to the public on February 21.

The remaining question is, how long was the server exposed before Sen’s discovery of it? The truth is, we don’t know. TechCrunch reports that a Shodan listing traces leaked data as far back as February 8, but we don’t know if the vulnerability occurred before then or on that date.

The USSOCOM spokesperson confirmed that although the information was vulnerable, the organization was not hacked. However, there still was a data spillage. It’s unclear if SOCOM has logs to detect unauthorized access to the data.

Unclassified Doesn’t Mean Non-Sensitive

“We should be, collectively as a community, careful not to assume that just because this server was ‘unclassified,’ that it did not contain truly sensitive information,” said Howard.

With this particular data leak, there is data going back years that could include DoD ID numbers, health information, and even SF86–security clearance information.

“Security clearance is not just about that individual,” Vaughn explains. “It's about all the people that they know, their work history, their past experiences; it has your social, it has your home address, it has your spouse. It has [your spouse’s] social, your family… there's a lot of sensitive information that goes into an SF-86.”

CUI, or Controlled Unclassified Information, is a type of data in the military that is still mandated to be handled with care. Regulations like ITAR, CMMC 2.0, and more all require the use of standard data protection practices to be in place for data of this nature.

“Not everything needs to be encrypted, but there are rules,” said Vaughn. “There are mandates that for CUI data, for [For Official Use Only (FOUO)] data that has to be protected, and encryption is one of the ways to protect.”

The Realities of Encryption

Howard and Shannon both agree that every workflow, even those on internal networks or protected by encryption, needs to have systems in place to solve for human error. In this case, the emails leaked from the SOCOM server were protected by a password, which was accidentally disabled, exposing the server to the open internet. The emails weren’t encrypted individually, leading to free-for-all access once the server was exposed.

“Nobody wants to encrypt everything,” said Howard. “It's not the way the world really works. You want to use encryption judiciously for the things that are truly sensitive … It really helps to do that with some type of automation in the workflow with the [Data Loss Prevention (DLP)] along those lines.”

Vaughn, now Virtru’s Federal General Manager, reflects on the information he has shared unencrypted on an internally protected email server.

“I'm now in the Army reserves, but in almost 19 years, how many times have I sent data, especially on an internal system, where I'm more willing to share information…? So if I'm sending information to my G1, S1, J1, or whoever it is, that's my personnel group. I'm going to send them all of my DoD ID number, my social, and whatever that information is for SF86 … If I know that this is an internal-only system, Well great, hey, I'll share that and not expect any risk. Next thing you know, human error, no password, it's exposed … and now, myself, my, my family everybody [included in the] SF-86 … [are] targeted because one person made a mistake.”

DLP can help fill the gaps to protect emails detected to have sensitive data in tow automatically–but even if each and every email is encrypted, there are still obstacles to face. Howard and Vaughn ruminate on a Microsoft OME vulnerability–found similarly by a white-hat researcher, reported, but never patched by Microsoft. The weakness of the encryption could make it possible so that if emails are stolen en masse, hackers could pattern match and decrypt the information.

“How likely is it that somebody could effectively steal a huge number of emails or sufficient emails to basically do the pattern matching to infer the context of copy of the underlying message?” asked Howard, and the answer is, pretty likely. This could be possible even if the emails were sent encrypted on a closed network–if they were to be infiltrated, the information could still be vulnerable.

Thoughts on How to Prevent Human Error Moving Forward

“It’s a sobering situation we find ourselves in. [We] both know how hard it is to do cybersecurity, and data-centric security in particular, really well at scale…” said Howard. “We should all be careful not to revel in anybody's difficult situation. I think it's also incumbent upon us to ask really important questions about how you can do better.”

In the spirit of doing better, Vaughn and Howard clarified ways to prevent these issues in the future, not only at the federal level but at a level scalable for small businesses and enterprises alike.

Build In Protections for Human Error

“Everybody has kind of these lower level capabilities just to allow humans to make errors," said Vaughn, "because I don't think any company has a hundred-percent, perfect employees. Right? Humans have faults.”

The human element will always pervade – that’s why including data loss prevention tools is vital. Humans will forget to encrypt sensitive data no matter what. DLP can include AI that detects sensitive data and encrypts it automatically. Gateway encryption, encrypting all data before leaving the server, is also a way to siphon sensitive data through a protective net ensuring protection.

Secure Data From the Inside Out

In the case of SOCOM, it was the misconfiguration of a password-protected system that rendered it vulnerable. Once their Microsoft Azure perimeter-centric security was exposed, a slew of unprotected data on the inside was left vulnerable. With a data-centric security architecture, that protects from the inside out instead of the other way around, certain sensitive information could have been spared.

Virtru is your Data-Centric Security Solution

Virtru offers powerful data-centric security solutions for federal-level operations, down to small defense contractors. With Virtru for Outlook and Gmail, emails are encrypted both in transit and at rest, ensuring secure communication throughout the entire email process.

Unlike traditional methods, Virtru does not require users to create any new usernames or passwords, eliminating one of the significant hurdles in email security. Additionally, Virtru's encryption requires at least two keys to access the data, regardless of its location, providing robust protection. Granular access controls allow data owners to grant or revoke access, impart access expiration dates, disable forwarding, and more.

With the use of the Virtru Private Keystore, access requires three keys, adding an extra layer of security. Unlike Azure's perimeter-centric security and password-based identity-centric security, Virtru's pervasive data-centric security protects the data itself, ensuring complete data protection.

In the case of a hacker compromising a singular user’s identity, other members in your organization can leverage Virtru access controls to revoke access to sensitive data before it escalates into a major data loss.

With over 8,000 customers, Virtru can fortify your team's security with data-centric protection, including email, file-sharing, drive encryption, and more. Book a demo with our team today.