US Air Force is investigating SharePoint related data breach exposing personnel health and personal data

The United States Air Force is reporting a privacy-related security incident involving its Microsoft SharePoint systems that has resulted in the exposure of Personally Identifiable Information and Protected Health Information belonging to service members and personnel. 

The Air Force Personnel Center Directorate of Technology and Information issued a data breach notification warning of the exposure related to USAF SharePoint permissions, and implemented an Air Force-wide shutdown of all SharePoint systems. 

The cause of the breach appears to be linked to security vulnerabilities in Microsoft SharePoint servers that have been actively exploited by sophisticated threat actors since at least July 2025. 

According to Microsoft's security advisory published in July, three Chinese-affiliated hacking groups tracked as Linen Typhoon, Violet Typhoon, and Storm-2603 were confirmed to have been exploiting critical vulnerabilities in on-premises SharePoint servers to gain access to target organizations. The attackers exploited a chain of vulnerabilities collectively referred to as "ToolShell," which allowed authentication bypass and remote code execution, enabling attackers to steal sensitive data including cryptographic MachineKey information without requiring any credentials.

The number of affected individuals is not disclosed.

The notification warned that restoration of SharePoint related services may take up to two weeks. "The Department of the Air Force is aware of a privacy-related issue," an Air Force spokesperson confirmed to media outlets, though the spokesperson declined to provide specific details about the nature of the breach, the number of affected individuals, or whether SharePoint and Teams services are currently offline.