Air Force Personnel Database Owned

According to this Air Force Times story, personnel data for "about 33,300 officers and 19 airmen" was remotely accessed. The records include "Social Security numbers... marital status, number of dependents, date of birth, race/ethnic origin (if declared), civilian educational degrees and major areas of study, school and year of graduation, and duty information for overseas assignments or for routinely sensitive units."

The story quotes an Air Force spokesman:

"'Basically, we had an unauthorized user gain access to a single user account by stealing a password,' said Lt. Col. John Clarke, chief of the Systems Operations Division at the Air Force Personnel Center. 'Then they went in and accessed member information on roughly 33,000 military members.'"

I would like to know how a "single user account" was able to query records on 33,000 people. If this account belonged to a normal user (i.e., an Air Force member), some serious problem allowed that single account to look at other members' records. Alternatively, the user account could have belonged to someone with privileges to review records.

It sounds like my old unit helped with the response:

"Personnel officials went to the 8th Air Force network operations center for help and called in the network security experts at the Air Intelligence Agency. They also brought in the Air Force Office of Special Investigations and legal specialists."


Popular posts from this blog

MITRE ATT&CK Tactics Are Not Tactics

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4