U.S. Special Operations Command is investigating a claim by a cybersecurity consultant that he was able to breach a database containing the personal information of hundreds of health care workers who treat commandos and their families.
The investigation was confirmed by Ken McGraw, a spokesman for SOCom, the command based at MacDill Air Force Base that helps guide the work of the military's commandos. Consultant Chris Vickery told the Tampa Bay Times he gained entry into the database of a Virginia company that provides health care workers for a SoCom program called Preservation of Force and Family.
The files he acquired do not appear to contain health care information about commandos, Vickery said. It is unknown whether anyone outside the company other than him had accessed the data, he said.
The information contains names, Social Security numbers, home and work addresses, email addresses, phone numbers, resumes and security clearances for employees with Potomac Healthcare Solutions.
It also includes the company's jobsite locations around the United States as well as in Japan, Ireland and other foreign lands. As part of the program, the health care workers travel to locations where commandos are based.
Potomac Healthcare Solutions is a subcontractor with Booz Allen Hamilton, which in 2013 won a contract worth up to $475 million to run the Preservation of the Force and Family program. The SOCom program provides mental, physical and spiritual care to commandos with the Navy SEALs, Army Green Berets and Rangers, Delta Force members and Air Force and Marine commandos, according to the Potomac website. Families also are covered.
The program is aimed at "decreasing the rate of physical and emotional injuries from all causes, and significantly accelerating return to duty times," the website says.
Many of the employees in the database hold the highest federal security clearance, said Vickery, who still has the data.
Potomac officials said in a statement to the Times on Monday that they are aware of Vickery's claim. They said internal and external reviews have turned up no sign yet that any sensitive information was compromised.
"The privacy and security of information remains a top priority, and we will continue to work diligently to address any issues or concerns," Potomac said.
Vickery said he found the data by using a search engine that sweeps the so-called Internet of Things, a networking of devices connected to the Internet including security cameras, refrigerators and even light bulbs.
Vickery is the recipient of the 2016 Data Detective Award from Patient Privacy Rights and Harvard University's Data Privacy Lab. He said he has helped in investigations conducted by the Federal Trade Commission, FBI, Texas Attorney General's Office, Secret Service and the state of Kansas.
He gained entry to the Potomac data during a Christmas Day search but did not realize until the next day what he had found, he said. On Sunday, Vickery posted redacted copies of some of the data on his blog at MacKeeper, an Internet security firm. The blog item was first reported by ZDNet, an Internet technology website.
"We take any allegation of a data breach very seriously, including those from our subcontractors," said James Fisher, a Booz Allen Hamilton spokesman, in an email message to the Times. "We are looking into this alleged event."
Aside from health care workers' personal information, Vickery was able to obtain a list of hundreds of millions of dollars in future contracts Potomac is seeking, as well as a number of password-protected financial databases he said he does not want to try breaching.
On his blog post, Vickery said he had difficulty persuading Potomac officials to take his breach seriously. He said that as of Monday afternoon, no one from SOCom had contacted him.
"It's not hard to imagine a Hollywood plot line in which a situation like this results in someone being kidnapped or blackmailed for information," Vickery wrote in his blog. "Let's hope that I was the only outsider to come across this gem. Let's really hope that no hostile entities found it. Loose backups sink ships."
Contact Howard Altman at firstname.lastname@example.org or (813) 225-3112. Follow @haltman