Digital Flash Card Apps Exposed US Nuclear Weapons Secrets
Sensitive information about US nuclear missile bunkers in Europe was found online by searching for related terms, such as protective aircraft shelters (PAS) and Weapons Storage and Security Systems (WS3). The data were being used in digital flashcard apps. The compromised information includes camera positions, patrol frequency, unique identifiers on badges required for entry, and codewords guards use to indicate they are being actively threatened. The flashcards have been taken down.
"Shadow IT" at its worst. If you do not provide tools that are secure, employees will find their own. This may be an extreme case, but on a non-nuclear scale, this happens everybody with employees using personal email addresses because corporate mail filters are stripping content they need to do their job, or using the kids "gaming rig" for work because the company-provided laptop is too slow.
This is a nexus of benign, slightly obscure information augmented with specific information which makes it sensitive. We used to call this information mosaic. Use caution making online learning publicly available and make sure that accompanying completion records and feedback mechanisms are protected. Review regularly to ensure that both the presented information and accompanying meta-data remain secured.
Good reminder to sanitize all training and test data to remove sensitive information, and to make sure that any pen test engagement includes a strong research/reconnaissance phase.
When I taught young officers at the Naval Postgraduate School we called this “digital” OPSEC. They understood OPSEC.