International Business Times is among news outlets reporting that an unsecured backup drive is to blame for a massive data leak at the US Air Force: US Air Force leak exposes ‘holy grail’ of top secret data including details of over 4,000 officers. IT security experts from STEALTHbits Technologies, NuData Security and VASCO Data Security commented below.
Jonathan Sander, CTO at STEALTHbits Technologies:
“When people see that a system misconfiguration leads to sensitive data like the USAF top secret data leaking out, they often conclude that the admins are only human and there’s only so much they can do. The problem is that is the end of their thought, instead of moving to the realization that their humans desperately need automated help. This was found, luckily, by a good guy using automated scanning to see what they could find. It’s the kind of thing that can be – an may have been – found by the bad guys. They are using automation to do their work, and we need the government to equip our good guys to do the same.”
Robert Capps, VP of Business Development at NuData Security:
“This is a serious data leak, which allows nation states to target high-value military personnel for additional attacks and surveillance. If that weren’t bad enough, this highly detailed data could potentially be combined with stolen personal data from other data breaches already available on the dark web to create rich profiles of these individuals. Such profiles can be leveraged by cybercriminals and nation-state actors to not only track military personnel, but also use their real identities for account takeovers, apply for new credit, and much more. The military personnel involved in this incident should immediately request a credit freeze with the major credit bureaus, and keep close track of account activity through commercial credit monitoring services, or monitoring of their own accounts.”
David Vergara, Head of Global Product Marketing at VASCO Data Security:
“Hollywood plays up sophisticated methods to gain access to sensitive data as it makes for great movies, but the reality is most leaked data results from easy targets like an unsecured drive left behind at an airport or cab and other low-tech schemes. Regardless of the leak point, there is a simple “silver bullet” that secures data, it’s encryption. Modern encryption solutions are not only widely available for all types of end-point devices they’re also inexpensive. Especially in light of the costs that businesses and, of course, the government will now shoulder to protect (i.e. credit monitoring) individuals affected, address related fines and repair the brand. Businesses and government agencies are getting better about utilizing encryption, but it needs to be deployed more ubiquitously across mobile, network, storage and other channels. Once encryption has been addressed, then they can focus on other vulnerabilities like mobile malware.”