- A leaked folder of US military data was found in 2024
- Cybernews received a tip about the library and launched an investigation
- The leaked folder remained accessible despite CISA being notified
A leaked folder containing over 70,000 files relating to military personnel, contractor records and photos taken inside military bases has been revealed.
Researchers from Cyber news was tipped off about the leaked folder and examined the contents.
Despite the Cybersecurity and Infrastructure Security Agency (CISA) being informed by security researcher Arkadeep Roy in 2024, the dataset has remained exposed and was actively leaking as of April 2026.
Forms and personnel files exposed
Cybernews discovered that the dataset was exposed via an Open Directory Listing vulnerability. The library also lacked adequate security controls. The library turned out to belong to CMI Management Inc., a US government contractor that is part of the Dexterra Group.
According to the CMI Management website, the company specializes in providing public facilities. The website says, “Over the years, CMI has successfully managed a wide variety of public facilities, from training centers to mission-critical operations.”
The files were originally discovered in 2024, with CISA notified the same year. On March 16, 2026, Cybernews was tipped off about the exposed database and began an investigation the next day. Cybernews confirmed the leaked folder and reported it to CMI Management and CISA on March 18, 2026.
Cybernews shared a number of examples of images that have been heavily edited to censor private information. The images include maintenance forms, emails between staff and photos of internal infrastructure. Cybernews alerted CMI Management to the leaked folder, but did not immediately receive a response.
The leak of sensitive personnel and contractor information could put current and former US military personnel at risk of phishing or impersonation attempts, or personal data could be used to gain unauthorized access to military installations.
Of particular concern is the leak of internal photos of US military bases and base schematics, which could be used by threat actors to create detailed maps of US military bases and identify weak points in both structure and security.
“The data leak is troubling as sensitive US military data was stored insecurely for over a year even after CISA was allegedly notified. This means that even when it comes to the military and their facilities, it is all too common to find data stored insecurely and remediation efforts are not prioritized even after notifying the appropriate authorities,” the Cybernews research team said.
Following the Stryker Corporation cyber attack, CISA issued an alert in March 2026 with guidance on how organizations should harden endpoint management system configurations to defend against malicious cyber activity.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
