Department of Defense is reporting on the 2023 email data breach

The Department of Defense is currently issuing notifications to approximately 26,000 individuals, including both current and former employees, regarding a data breach that occurred early in 2023. This breach involved the inadvertent exposure of numerous email messages to the internet due to a misconfiguration by a Department of Defense (DOD) service provider.

The incident, which lasted from February 3, 2023, through February 20, 2023, resulted in the leakage of emails containing personally identifiable information (PII) related to individuals employed by, supporting, or seeking employment with the DOD. Specific details regarding the types of exposed PII were not disclosed.

The cause of the attack is attributed to a misconfigured Microsoft cloud email server, which was publicly accessible without requiring a password. The exposed emails included The exposed server contained internal military email messages, dating back years, discussions pertinent to the U.S. Special Operations Command, affecting multiple departmental organizations and included completed SF-86 questionnaires—forms filled out by federal employees seeking security clearance that contain highly sensitive personal and health information.

Despite the exposure, there has been no evidence to suggest misuse of the exposed PII. Nonetheless, the Pentagon, through the Defense Intelligence Agency, has begun urging affected parties to enroll in identity theft protection services.