Booze Allen subcontracted US government firm leaked classified military personnel data – report
The security incident saw over 11 GB of US military personnel data exposed online iStock

A US government subcontractor reportedly left exposed a massive amount of sensitive data pertaining to military healthcare professionals. Security researchers uncovered that the data leaked online included personal and sensitive information of military personnel, some of whom hold the highest level of security clearance, according to a report.

Booz Allen subcontracted firm Potomac Healthcare Solutions was reportedly the source of the data breach. The firm was reportedly brought on board to provide healthcare professionals to US government and military organisations. According to Chris Vickery, lead security researcher at the MacKeeper Security Center, who discovered the data leak, the data exposed contained details of US Special Operations Command (SOCOM) personnel. Victims include both former and active staff employed by the army, navy, and air force.

Vickery told IBTimes UK: "I first started downloading and reviewing parts of the data on Christmas Day, but did not fully realise the nature of the files until a day or so later. It was found through review of Shodan.io results regarding port 873.

"There were well over 11 gigs exposed. The vast majority were related to Potomac's financial operations (quickbooks backups, invoices, account statements, etc). However, there were also many spreadsheets and text dumps containing the private details of healthcare workers that Potomac supplies to the US government. These workers include people such as psychologists working with Special Operations Warriors and having top secret clearances."

According to a report by ZDNet, a sample of the leaked data provided by Vickery revealed that the data was freely available for the public, with little to no protection of abuse from malicious entities.

The data included a "master tracking list" of staff linked to SOCOM's Preservation of the Force and Family (POTFF) programme, detailing information of the staff's security clearance levels.

The leaked data reportedly included names, social security numbers and more, dating as far back as 1998. Places of work as well as staff living quarters used when not on active duty were included in the leaked data. Details of staff's pay scales, contract dates, residency, work locations and more were part of the files.

The data pertaining to POTFF also allegedly revealed the name and location of one Special Forces data analyst, granted top-level security clearance.

What caused the breach?

According to Vickery, the security incident was caused by the Potomac Healthcare Solution's insecure server. The subcontractor was found using "rsync", a commonly used remote synchronisation protocol, which was not protected with a username or password.

Vickery explained to IBTimes UK: "At this point the best guess is human error on Potomac's side. Although it's important to note that I have not done any sort of forensic examination of their systems at all, so there are numerous other potential causes. To my knowledge, Potomac has not made any official statements regarding whether or not they believe human error was the root cause."

Vickery claimed to have contacted one of Potomac's CEOs about the incident. The firm has since secured the data. Potomac co-chief executive told ZDNet that the firm was "addressing" the issue.

Booz Allen told ZDNet that it was "looking into" the incident. A spokesperson said: "We take any allegation of a data breach very seriously, including those from our subcontractors."

Commenting on the potential implications of the data breach, Vickery said in a blog post: "It's not hard to imagine a Hollywood plotline in which a situation like this results in someone being kidnapped or blackmailed for information. Let's hope that I was the only outsider to come across this gem. Let's really hope that no hostile entities found it. Loose backups sink ships."

Update:

Potomac Healthcare Solutions provided IBTimes UK with an emailed statement following the publication of this article. The statement read, "We are aware of the report from an independent security researcher alleging an unauthorized exposure of sensitive government information.

"Upon learning of the allegation, we immediately initiated an internal review and brought in an external forensic IT firm for additional support. While our investigation remains ongoing, based on our initial examination, despite these earlier reports, we have no indication that any sensitive government information was compromised. The privacy and security of information remains a top priority, and we will continue to work diligently to address any issues or concerns."