The Pentagon is currently in the process of notifying more than 26,000 current and former employees, job applicants, and partners about a potential exposure of their sensitive personal information in a data breach incident detected in early 2023.
According to a notice obtained by DefenseScoop and dated February 1, 2024, the Defense Intelligence Agency (DIA) urged recipients, including a longtime Defense Department official, to enroll in government-provided identity theft protection services due to the exposure.
The document explained that between February 3, 2023, and February 20, 2023, numerous email messages were inadvertently made accessible on the internet by a Department of Defense (DOD) service provider, potentially containing personally identifiable information (PII) of individuals associated with or supporting the DOD, as well as those seeking employment with the department.
While there is no evidence of misuse of the exposed PII, the DOD is taking proactive measures to notify individuals affected by the breach, as stated in the document.
In response to inquiries, the DIA referred questions to a Pentagon spokesperson who, citing operational security, declined to disclose the identity of the service provider involved. The spokesperson confirmed that over 20,600 individuals were affected by the breach.
Regarding the timeline of informing individuals about the breach, the spokesperson did not provide specifics but stated that ongoing notification efforts are underway.
The letter sent to potential victims of the exposure outlined the department’s collaboration with the service provider to understand the incident’s cause and implement measures to mitigate future risks. This includes procedural modifications and enhancements to anomaly detection and alert capabilities.
A Pentagon spokesperson further elaborated that multiple department organizations were involved in assessing the affected information to validate identities and contact details of impacted individuals. Following this assessment, an Identity Protection Services contract was secured in September 2023, with affected organizations actively collaborating with the contractor to notify affected individuals.
