Fortunately, intelligence is a thing that goes steadily out-of-date as time passes. Also, once you know something has been compromised, you can take steps to significantly mitigate the damage.
I don't believe it, because I work in IT for decades and by now, above a certain level of confidence, the only way for vital information to be shared with wrong recipients can't be accidental. Years-long "accidental" proceder couldn't go unobserved. Too many people involved, too many IT-relevant security measures in the action.
The entire point is it was happening in the past though. You think they would have been preventing it before 2015, when the article claims the man notified them?
I dunno, man. I’ve been doing cybersecurity for two decades and there are an awful lot of really stupid / ignorant / blissfully unaware people in IT across the private sector - particularly at big and older companies. It wouldn’t surprise me in the slightest to learn that something like this goes unnoticed. Unless you suspect a problem, if the system isn’t subject to regular audit, it could go on for years without anyone bothering to check.
Well, without providing an in-depth breakdown of your thought process, you're just a rando on the internet, along with all the rest of us. After all, I can say I'm the owner of Twitter if I really want.
Nobody should ever believe anyone's claims on here automatically. That would be a very unwise habit to get into, for anyone.
I hope you're right though, that would be good. It certainly makes more sense to me that this would be caught earlier, and the DoD simply wouldn't bother telling anyone it was dealt with.
I still remember the biggest flaw in Hayes 9600 and how to fix it, or how to set up two soundcards so that their IRQs aren't in conflict, in DOS environment if it helps strengthening my credentials. 😎
(Unless one of those cards is Gravis' clone called Primax, these were often impossible to pair with good old Soundblaster).
Have you met any of the big IT supply subcontractors?
Many have built a business around highly specific contracts, the expectation is the service level agreements are technically met. Anything outside the contract is irrelevant and will not be done until a contract is in place. This is reflected in the culture of its staff.
For example if you raised a problem and a team had a 24 hour SLA, the team is focussed on closing the ticket within 24 hours, so they will look for a reason to close the ticket. If you outlined a problem and suggested the issue might be in X area, they will declare "User stated a problem in X, X dashboard is green" and close the ticket. 24 Hour SLA Met!
It might take you 20+ tickets before your actual problem is resolved but from their perspective that was 20+ tickets all completed within 24 hour SLA and that is the metric reported in the contact.
If you try and expose the fact it took 20 days to resolve your problem, staff in these organisations will close ranks to protect each other and the business will protect them on the basis it undermines the metrics for the contract.
Not to mention that classified information won't even be on the regular mail system to begin with, it will be on SIPRNet where this scenario is not even possible.
I thought the issue was that even though it wasn't classified info, the shear volume of "mundane" info was enough to figure it out. Stuff like an average soldier saying "Yeah, I'm getting stationed at Fort blah, Jimmy is heading out to Fort Blah" or "My departure time is 1900 and arrival is 2300". All that information can paint a pretty accurate picture.