Cyber

Post-data breach, DOD held ‘very candid discussions’ with Microsoft

A recent interview with the Pentagon's CIO suggests there’s still much to be revealed about the incident’s scope.

May 14, 2024

A signage of Microsoft is seen on March 13, 2020 in New York City. (Photo by Jeenah Moon/Getty Images)

Pentagon leadership is satisfied with the security protocol adjustments Microsoft made in the aftermath of the data spill that exposed the sensitive, personal information of more than 20,000 people early last year, according to the department’s Chief Information Officer John Sherman.

In an interview last week on the sidelines of the annual GEOINT Symposium, the CIO provided new details about his team and the tech vendor’s ongoing response to that massive, but still publicly murky, data breach incident.

“I want to emphasize that Microsoft did a thorough after-action review to determine what happened on that, and to ensure it wouldn’t happen again,” he told DefenseScoop, adding that due to sensitivities he couldn’t elaborate on what was found.

Broadly, Sherman’s responses suggest there’s still much to be revealed regarding the incident’s scope and Microsoft’s immediate handling of the data compromise, which impacted thousands of current and former Defense Department employees, job applicants and partners in February 2023 — though most weren’t alerted about it until a year later.

“I’m not going to be able to confirm which DOD components were affected,” he said in the interview.

As DefenseScoop initially reported when this security incident first came to light, heaps of emails containing personally identifiable information (PII) were inadvertently exposed and accessible online via commercial servers for a little over two weeks.

Although Sherman and other senior officials would not confirm the DOD organizations that had emails and other records unmasked in the breach, screenshots that an independent security researcher shared with DefenseScoop of the data present on the Microsoft server when it was exposed online show sensitive details associated with U.S. Special Operations Command personnel.

The text included multiple military officials’ names, spouses’ names and addresses — and also detailed a variety of other personal information including but not limited to their religious preferences, the churches they attend, their pets and overall deployment history.

“What I will tell you is that we worked very closely with Microsoft on this to see what happened. They were very forthcoming about what happened, and they adjusted their procedures to make sure that this would not happen again, in terms of the personally identifiable information, or PII that was compromised,” Sherman told DefenseScoop.

“And so this isn’t us raking them in over the coals or anything like that, but we had some very candid discussions at my level to protect our service members and civilians. But I will not be able to go through the affected entities within DOD,” he added.

Sherman said he wanted to give Pentagon Deputy Chief Information Officer for Cybersecurity David McKeown and his team “a shout out” for working closely with the impacted military components and Microsoft to respond to the incident.

In September 2023, the department awarded an identity protection services-focused contract for a vendor to notify and support all individuals who had data unmasked in the breach.

Sherman could not immediately confirm whether everyone involved has been notified of the exposure to date.

He also wouldn’t supply in-depth information regarding what was believed to be the original cause of the data spill, though he broadly pointed to “cyber hygiene and configuration management.”

“I won’t get into a lot of details. This is just kind of, from my words, just kind of [about] good housekeeping here of procedures and adhering to procedures. And again, Microsoft, the vendor, has been very transparent on this — as with any entity that’s gone through something on being forthright on what needed to be fixed. [The DOD’s zero-trust concept] is kind of about this. But part of this is just when you say you need to do A, B, C, and D, you have to do those things — and double check it to make sure all the barn doors are closed, that should be closed,” Sherman said in the interview.

On Tuesday, a Microsoft spokesperson declined to comment.

The company is one of four major U.S. technology giants competing for individual task orders to ultimately provide the Pentagon’s envisioned enterprise cloud capability that will underpin vital data workloads to enable future military operations.

Post-data breach, DOD held ‘very candid discussions’ with Microsoft

More Like This

House bill directs Pentagon’s network defense arm to become subordinate unified command

DOD using Army tool to fulfill directive under AI executive order

Gen. Mattis on foreign influence operations: The US has never been ‘more vulnerable’

Top Stories

SDA restructuring ground support program for experimental sats to focus on fire-control missions

Meet the 2024 DefenseScoop 50 Awards winners

DOD critical tech office moves to speed up software transitions

Army officially resources 3 theater information advantage detachments

Pentagon’s new CDAO unveils fresh hires on her leadership team

More Scoops

With 2027 deadline looming, DOD moves into implementation phase of zero trust transformation

DOD notifying more than 26,000 people who may be impacted by a year-old data breach

DOD wants to create ‘intermediary’ capability to enhance cloud computing

Pentagon CIO considers changes to cloud service provider security measures in wake of potential data exposure

Watchdog finds decrease in cyber incidents on DOD networks, but major increase in PII breaches

Latest Podcasts

How the Navy is reducing workforce friction to improve mission outcomes

How DARPA is looking to AI to fend off cyber vulnerabilities through a challenge program

How the DOD protects national security interests by monitoring climate change

DISA looks to offer multi-cloud capabilities at the tactical edge

Weapons

Cyber

AI

IT