- An exposed database of UK and US military personnel has been found
- The database contained over 1 million records and sensitive PII
- The database has since been restricted, but it is not known how long it was exposed
A top cybersecurity researcher has uncovered an unprotected online database containing sensitive PII and data for members of the US and UK armed forces.
Jeremiah Fowler’s writeup, shared with VPNMentor, outlines how the database belonged to Forces Penpals, a dating and social networking service for members of the armed forces, and contained 1,187,296 records.
Much of the data apparently included full names, addresses, social security numbers of US personnel, National Insurance Numbers and Service Numbers of UK personnel, along with rank, branch of service, dates, and locations of military service members.
Armed forces data left exposed
The database was discovered by Fowler without encryption or password protection, meaning that the database could have been accessed by anyone with an internet connection.
Fowler notified Forces Penpals about the exposure, and the database was protected the following day, however it is not known how long the database was exposed for, with Fowler noting that, “Only an internal forensic audit could identify additional access or potentially suspicious activity.”
Forces Penpals, which claims to have over 290,000 members, both civilian and military, replied to the exposure notice, and provided an explanation, “Thank you for contacting us. It is much appreciated. Looks like there was a coding error where the documents were going to the wrong bucket and directory listing was turned on for debugging and never turned off. The photos are public anyway so that’s not an issue, but the documents certainly should not be public.”
The level of detail contained within some of the documents would provide a malicious user with enough information to launch an identity theft or social engineering campaign against exposed users.
Additionally, Fowler says, some of the exposed data contained within the database, such as ranks, levels of security clearance, and locations, could have national security implications.
Earlier this year, Chinese state-sponsored threat actors reportedly breached a third-party contractor for the UK Ministry of Defense and accessed the data of armed forces personnel, with a similar attack attempting to steal records of ex-RAF pilots also attributed to Chinese state-sponsored groups.
Leave a comment