The US Air Force is investigating a critical data breach involving the exposure of **Personally Identifiable Information (PII)** and **Protected Health Information (PHI)** due to vulnerabilities in **Microsoft SharePoint**. The breach, linked to **Chinese-affiliated hacking groups (Linen Typhoon, Violet Typhoon, Storm-2603)**, exploited authentication bypass and remote code execution flaws, enabling unauthorized access to sensitive data, including **MachineKey information**. As a precaution, the Air Force blocked all SharePoint access across its systems, with potential extensions to **Microsoft Teams and Power BI dashboards** due to their integration with SharePoint. The incident follows a broader pattern of state-sponsored cyberattacks targeting US federal agencies, raising concerns over national security and data integrity. The breach’s full scope remains under investigation by **Microsoft and US authorities**, with suspicions also directed toward **Russian state-sponsored actors** given historical precedents. The exposed data includes highly sensitive military personnel records, posing risks of identity theft, espionage, or operational disruptions.
Source: https://www.yahoo.com/news/articles/us-air-force-investigating-data-140300727.html
TPRM report: https://www.rankiteo.com/company/united-states-air-force
"id": "uni2432224100425",
"linkid": "united-states-air-force",
"type": "Breach",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Defense',
'location': 'United States',
'name': 'United States Air Force (USAF)',
'type': 'Government/Military'},
{'location': 'United States',
'name': 'At least two unnamed US federal agencies',
'type': 'Government'},
{'location': 'Global',
'name': 'Numerous global organizations (unspecified)'}],
'attack_vector': ['Authentication Bypass', 'Remote Code Execution (RCE)'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'MachineKey Information']},
'date_publicly_disclosed': '2025-07',
'description': 'The US Air Force is investigating a data breach caused by a '
'Microsoft SharePoint vulnerability, exposing Personally '
'Identifiable Information (PII) and Protected Health '
'Information (PHI). Chinese-linked hacking groups (Linen '
'Typhoon, Violet Typhoon, and Storm-2603) exploited SharePoint '
'flaws for authentication bypass and remote code execution, '
'leading to data theft, including MachineKey information. The '
'breach prompted an Air Force-wide block of SharePoint, '
'Microsoft Teams, and Power BI dashboards to mitigate risks. '
'The incident is under active investigation by Microsoft and '
'US authorities, with suspicions primarily directed at Chinese '
'state-sponsored actors, though Russian groups are also '
'considered potential culprits.',
'impact': {'brand_reputation_impact': ['Potential erosion of trust in US Air '
'Force cybersecurity',
"Scrutiny of Microsoft's security "
'practices'],
'data_compromised': ['Personally Identifiable Information (PII)',
'Protected Health Information (PHI)',
'MachineKey Information'],
'identity_theft_risk': ['High (due to PII exposure)'],
'operational_impact': ['Air Force-wide block of SharePoint, Teams, '
'and Power BI',
'Disruption to workflows and collaboration '
'tools'],
'systems_affected': ['Microsoft SharePoint (Air Force-wide)',
'Microsoft Teams (potentially blocked)',
'Power BI Dashboards (potentially blocked)']},
'initial_access_broker': {'entry_point': ['Exploited SharePoint '
'vulnerabilities (authentication '
'bypass, RCE)'],
'high_value_targets': ['US Air Force PII/PHI',
'MachineKey information']},
'investigation_status': 'Ongoing (by Microsoft and US authorities)',
'motivation': ['Espionage', 'Data Theft'],
'post_incident_analysis': {'root_causes': ['Vulnerabilities in on-premises '
'SharePoint servers',
"Potential lapses in Microsoft's "
'cybersecurity practices']},
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'The Register'},
{'source': 'Microsoft (July 2025 confirmation of SharePoint '
'exploits by Chinese groups)'}],
'response': {'communication_strategy': ['Data breach notification issued via '
'social media by Air Force Personnel '
'Center Directorate of Technology and '
'Information'],
'containment_measures': ['Air Force-wide block of SharePoint',
'Potential block of Microsoft Teams and '
'Power BI'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['Microsoft']},
'stakeholder_advisories': ['Air Force Personnel Center Directorate of '
'Technology and Information notification'],
'threat_actor': ['Linen Typhoon (Chinese-affiliated)',
'Violet Typhoon (Chinese-affiliated)',
'Storm-2603 (Chinese-affiliated)'],
'title': 'US Air Force SharePoint Breach Exposing PII and PHI',
'type': ['Data Breach', 'Unauthorized Access', 'Exfiltration'],
'vulnerability_exploited': ['Microsoft SharePoint Server Vulnerabilities '
'(On-Premises)']}