Personal information – including home addresses, Social Security Numbers, cellphone numbers of next of kin, and bank account details – of thousands of Marines and civilians, leaked due to a simple mistake made by someone at the U.S. Marine Corps Forces Reserve.
Apparently, someone at the Reserve sent an email early last week to an incorrect distribution list, and attached to that email a file containing sensitive data from the Defense Travel System, which is used by the Defense Department to process and store expense reports and itineraries from official travel.
Major Andrew Aranda, spokesperson for the Marine Forces Reserve, said that 21,426 people were affected by the leak, which the military believes was the result of an error, with no malicious intent involved. The problematic email was apparently sent to some addresses within the marine’s usmc.mil domain (used for only unclassified communications), as well as to some external domains. While, according to Marine Corp. Times, Aranda noted that the mistake “was very quickly noticed and email recall procedures were implemented to reduce the number of accounts that received it,” email recall mechanisms are, of course, ineffective once emails leave an organization to external email addresses – which are also the locations that pose the greatest risk to the sensitive information.
Personal information of the sort leaked by the military can be used by criminals or enemy states to steal identities, trick people into providing other sensitive information or into granting access into sensitive systems, and for all sorts of financial crimes. Furthermore, this leak may pose additional risks in the case members of the military and their families – providing enemies of the United States with information to target such folks for attacks or for recruitment as spies. Let us hope that the parties who received the email containing the private information were friendly and quickly destroyed it.
Ironically, it was just over half-a year ago that the Government Accountability Office reported that while the government had improved information-security practices in the aftermath of the massive 2015 Office of Personnel Management data breach, various contractor-operated systems still lacked comprehensive security.
The Marines have promised to implement changes to better safeguard private information from future leaks. In my opinion, proper usage of both Data Loss Prevention technologies as well as encryption could have stopped the current leak and would be worth exploring immediately – but, clearly, a thorough review of policies, procedures, and their implementation is certainly also necessary.