The travel records for up to 30,000 U.S. military and civilian workers have reportedly been leaked through a commercial vendor used by the Pentagon.
According to a report by the AP News, an anonymous source familiar with the matter stated that this breach was discovered on October 4th, but may have happened months ago. The report also states that the 30,000 number is tentative at this point and may increase.
“It’s important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population,” Lt. Col. Joseph Buccino, a Pentagon spokesman, told AP News.
The AP News source has also stated that while the breach is still under investigation, no classified information has been leaked.
For security reasons, the Pentagon is not disclosing the vendor who was affected by the breach. They have also stated that even though the vendor is under contract, they are moving forward with ending the use of the vendor's software.
This is not the first time that data used by the Department of Defense was leaked. In 2017, security researcher Chris Vickery found misconfigured Amazon S3 buckets exposing databases that contained 1.8 billion social and forum posts made by users all over the world. Ten days later, the same researcher discovered another misconfigured S3 bucket that exposed what appeared to be classified information from INSCOM.
This breach also comes soon after research that indicates that the Department of Defense's advanced weaponry systems are easy to hack. According to a report by the US Government of Accountability Office (GAO), mission-critical vulnerabilities are commonly found in "nearly all weapon systems that were under development."