The Air Force is investigating a potential exposure of service members’ personal data through Microsoft SharePoint, according to a spokesperson and an email sent to Airmen.
“This message is to inform you of a critical Personally Identifiable Information (PII) and Protected Health Information (PHI) exposure related to USAF SharePoint permissions,” the email from the Air Force Personnel Center’s IT directorate states. A source shared a screenshot of the email with Air & Space Forces Magazine and a spokesperson confirmed its authenticity. The email was subsequently posted on social media.
Microsoft SharePoint is a collaborative tool used to store, manage, and share files. It can also be used for intranet and to support websites. The Air Force has more than 6,000 SharePoint sites and libraries spread across numerous commands using the “DAF365 Enterprise Services” platform, according to a 2022 release.
While the email states that all SharePoint sites will be blocked and Microsoft Teams will be unavailable as the service investigates the data breach, Air & Space Forces Magazine understands the service is continuing to use the system while taking mitigation measures.
“The Department of the Air Force is aware of a privacy-related issue,” a service spokesperson told Air & Space Forces Magazine. “The preliminary investigation is ongoing, and we are assessing the scope of any concerns and any necessary required remediation. We are in the process of evaluating technical remediation solutions and will act as appropriate.”
In July, Microsoft and the Cybersecurity and Infrastructure Security Agency announced it was aware of a vulnerability and active cyberattacks on “on-premises” SharePoint servers—servers being maintained by organizations on-site and not on the cloud. The Department of Homeland Security and the Department of Health and Human Services were reportedly hacked as part of the attack, later attributed to Chinese groups.
However, Microsoft said at the time that the issue did not affect cloud-based SharePoint installations in Microsoft 365, which the Air Force migrated to in 2022. DAF365 Enterprise Services allows Airmen and Guardians to access secure, but unclassified SharePoint data from anywhere.
Still, managing permissions—which the Air Force email cited as an issue in the breach—remains a major cybersecurity challenge for many organizations. Permissions refers to which users are allowed to access which data under what conditions.
Retired Air Force Brig. Gen. Gregory Touhill, director of the CERT Division at Carnegie Mellon University’s Software Engineering Institute, would not comment on the Air Force’s ongoing investigation, but did tell Air & Space Forces Magazine that “one of the big lifts for SharePoint administrators is getting the right permissions associated with the individuals and/or the groups.”
Indeed, the Air Force’s unofficial Reddit page has multiple examples of Airmen saying they’ve run into issues with SharePoint permissions, including at least one case of personally identifiable information.
In large organizations like the Air Force, Touhill noted, individuals with similar roles can and should be put into groups and given the same permissions. However, when administrators or managers have roles that span multiple groups and special permissions, Touhill said organizations need to have other safeguards in place, such as:
- Separation of duties, where administrators have a separate account for day-to-day tasks with fewer permissions
- Multi-factor authentication
- Restrictions on external sharing of data
“Many data owners fail to properly document who has access to a site, files, and data and why they have that access,” Touhill added. “This should be part of every organization’s internal controls protocols and subject to regular independent third-party auditing.”
Part of the issue comes down to properly setting up and configuring software, Touhill said. Cybersecurity firm AppOmni has published research on how data can be inadvertently exposed due improper settings when software-as-a-service products such as Microsoft’s are installed.
The Air Force spokesperson could not provide any additional information on the service’s specific issues with SharePoint and how permissions played a role.
