The U.S. Air Force is investigating a potential data exposure involving Microsoft SharePoint that may have revealed service members’ personal and health information, according to an internal email and Air Force officials.
“This message is to inform you of a critical Personally Identifiable Information (PII) and Protected Health Information (PHI) exposure related to USAF SharePoint permissions,” an email from the Air Force Personnel Center’s IT directorate obtained by Air & Space Forces Magazine states.
The message also said access to all Air Force SharePoint sites would be blocked “to protect sensitive information.”
An Air Force spokesperson told Air & Space Forces Magazine that the Department of the Air Force is aware of the “privacy-related issue” but said the scope and impact are still being assessed.
“The preliminary investigation is ongoing, and we are assessing the scope of any concerns and any necessary required remediation. We are in the process of evaluating technical remediation solutions and will act as appropriate,” the spokesperson said.
Microsoft SharePoint is a collaboration platform that allows users to store, manage, and share files. It can also support intranet functions and website hosting. The Air Force reportedly operates over 6,000 SharePoint sites and libraries across multiple commands through the “DAF365 Enterprise Services” platform.
Microsoft declined to comment on the incident. The company and the Cybersecurity and Infrastructure Security Agency previously disclosed cyberattacks on on-premises SharePoint servers in July, linked to Chinese state-sponsored hackers and ransomware groups.
Microsoft said those attacks did not affect cloud-based systems like DAF365.
