EXCLUSIVE: MS Teams users at Army Futures Command potentially exposed private info

WASHINGTON: Users of the Microsoft Teams platform at Army Futures Command earlier this month potentially exposed personal and health identifying information to an unsecured number of department employees, and AFC is moving to prevent it from happening again, according to a memo obtained by Breaking Defense. 

Microsoft Teams — the most widely used platform across federal government and civilian agencies — allows users to choose from public and private privacy settings. Army Futures Command’s 365 MS Teams default was allegedly set to “public,” resulting in shared files being exposed to all users across the Defense Department. An AFC spokesperson confirmed to Breaking Defense on background users logged into MS Teams could see other users’ content.

“Effective immediately, AFC Headquarters and all subordinate units are prohibited from sending or sharing documents through Army 365 MS Teams on channels/groups that are PUBLIC, and prohibited from sending or sharing documents containing PII or PHI in any MS Teams Channels, whether PUBLIC or PRIVATE,” according to the April 7 Army Futures Command memo, signed out by Lt. Gen. James Richardson, the deputy commander at AFC.

The memo bans users from uploading, sending and sharing documents to any public chats, teams, pre-scheduled meetings, file centers and states all AFC enterprise organizations must ensure that all groups and channels are set to private “to reduce inadvertent release of information.”

RELATED: COVID Jump-Starts DoD’s Move To Microsoft Office 365

Cybersecurity expert Roger Cressey told Breaking Defense that with Microsoft’s position in the federal market “so large and wide,” the issue speaks to how the company is falling short in terms of positioning their products with the government in a way that reduces security risks as much as possible. 

“I think the thing with Microsoft is when you are the dominant presence in a government space, I think there’s a greater spotlight on you,” Cressey said. “And so when you are falling short, then that light is brighter [and] it really is just an obligation that they’ve got to do a better job when it comes to how they partner with the federal government, particularly the DoD world.” 

Cressey’s comments were echoed by AJ Grotto, former NSC senior director for cyber policy, who said the security issue is another example of a Microsoft product failing from a security perspective, instead of defaulting to the highest security settings possible.

Jack Wilmer, former DoD deputy chief information officer, said the memo likely resulted from a user accidentally posting information that should not have been public in MS Teams. 

“An example of the type of behavior that this memo seeks to curtail is that of a source selection team creating a meeting, and uploading source selection sensitive documents in the meeting invite,” Wilmer said. “If that meeting was not set as private, those documents would then be readable by others. This situation could arise from people not realizing that the documents would persist beyond the duration of the meeting.” 

Wilmer added the memo reads to be more focused on operational security than cybersecurity. If it was a cybersecurity concern about MS Teams itself, “there would be a more broad prohibition covering all DoD use of the platform, and it would come out of the DoD CIO’s office,” he said. 

In a statement to Breaking Defense, AFC Director of Communication Driece Harris said the intent of the memo was to ensure the force understands how to properly secure information, specifically PII. 

“There were no reported instances of a cyber breach concerning PII or PHI within the MS Teams platform. Information within the environment is only shared within the environment,” Driece said. “The Army will continue to adjust processes and procedures to ensure information remains properly protected as we continue to operationalize cloud-based collaboration platforms.”

Microsoft declined to comment for this report.