In excess of 70,000 U.S. Army files purportedly containing sensitive information about military personnel and photos of military bases were leaked for many months before being rectified, Military.com has learned.
Cybernews, an independent media outlet focused on cybersecurity and technology, first became privy to the leak when on March 16 its team received a tip from a security researcher who reported a leaky directory containing sensitive U.S. military information. The researcher purportedly claimed to have notified the United States Computer Emergency Readiness Team (US-CERT), but the data was still not secured.
“The data leak is concerning, as sensitive U.S. military data was stored insecurely for over a year, even after CISA (Cybersecurity and Infrastructure Security Agency) was reportedly notified,” Aras Nazarovas, senior information security researcher for Cybernews, told Military.com.
This signifies that even when it comes to the military and their facilities, it is too common to find data being stored insecurely, and remediation efforts are not prioritized even after notifying the relevant authorities.
That data, comprised of at least 70,000 files and exposed from a dataset, allegedly includes information related to U.S. military bases and other sites being exposed via an open directory listing vulnerability. There was a purported lack of security controls for accessing documents in the exposed directory.
Other leaked information purportedly included maintenance work orders, building schematics, personally identifiable information of military personnel, and personally identifiable information of contractors.
Company Takes Responsibility for Leaks
The leaks have been traced to CMI Management, a U.S. government contractor providing facility management solutions to the U.S. Army.
CMI’s website describes the company as “delivering top-tier government facilities services, offering innovative, reliable solutions that meet the evolving needs of federal clients across the country.”
A spokesperson for Dexterra Group, the parent company of CMI Management, acknowledged the leak and efforts to mitigate the situation in remarks provided on Thursday to Military.com.
“Dexterra Group is aware of recent reporting on a data exposure involving a directory associated with CMI Management, our U.S.-based government facilities services business,” they said. “The directory in question has been secured. Safeguarding operational data is a critical priority for our organization.
“While this incident does not reflect the standards we uphold across our operations, we are taking it seriously and are conducting a thorough internal investigation to determine the root cause and strengthen our protocols. This review will inform enhanced security measures to prevent recurrence.”
Multiple inquiries to the Army never garnered a response. Military.com also reached out to US-CERT and CISA, with the latter deferring comment to the Army.
How Leaks Occurred
Nazarovas said that Cybernews was able to attribute the leak to CMI Management based on contact information found in the exposed files, as well as the fact that the leaking web server used a CMI Management-controlled SSL (Secure Sockets Layer).
“Once we identified the responsible party, we disclosed the data leak to them,” Nazarovas said.
A researcher named Arkadeep Roy is said to have initially approached Cybernews with the information about the leak. Nazarovas said that communication was established due to Roy allegedly never receiving any positive indication from either CISA or CMI Management that the issue, which occurred for more than a year, was being rectified.
“It appears that the researcher chose to share the leak details with us because we have a history of covering similar data leaks,” Nazarovas said. “We believe that the desire to publish this information publicly was a last resort effort to bring attention to the issue in hopes of finally getting it resolved.”
According to Nazarovas, CMI Management accidentally exposed the data through a directory that lacked security controls and authentication. They chose to host files associated with one of their work order management systems on a web server that was configured to allow the listing of all the stored files, lacking any authentication or authorization features to restrict access to these files, he added.
“Roy reported to us that he notified the US-CERT in 2024,” he said. “After that, Roy received confirmation that US-CERT is ‘in contact with the related vendor,’ but according to Cybernews researchers, the data is still exposed to this day.”
Cybernews, like Military.com, received no response from CMI or CISA when it attempted to disclose the leak, he added.
Effects of Leaked Files
Tens of thousands of files were open for months, according to Cybernews.
Nazarovas said that in the worst-case scenario, U.S. adversaries like Russia or China or even Iran could utilize the details for numerous nefarious purposes.
“For one, nation-state actors could use leaked details to create a detailed map of military bases and their layout, which might not be possible from aerial imagery alone,” he said. “The schematics may even help to identify structural vulnerabilities.
“Additionally, threat actors could use the leaked personal details to target both military personnel and contractors. Phishing campaigns and social engineering attacks could be utilized to gain additional access to military installations or CMI Management, a long-time partner of the U.S. government.”
Read the full article here