Google exposes intelligence and defense employee names in VirusTotal leak

Hundreds of individuals working for defense and intelligence agencies globally have had their names and email addresses accidentally exposed by an employee at Google’s malware scanning platform VirusTotal.

The online service lets organizations upload suspected malware to be checked against a range of anti-virus tools. VirusTotal then shares these files with the security community, creating a library of malware signatures to help cybersecurity professionals detect attempted attacks and develop threat intelligence.

But a list of 5,600 of the repository’s customers also was uploaded, accidentally, to the platform itself, as first reported on Monday by Der Spiegel. The list, which has been seen by Recorded Future News, identifies individuals affiliated with U.S. Cyber Command and the National Security Agency, as well as with the Pentagon, the FBI, and a number of U.S. military service branches.

From the United Kingdom, it contains the names of a dozen Ministry of Defence personnel as well as emails belonging to staff at the CERT-UK function of the National Cyber Security Centre, a part of GCHQ. Keeping with GCHQ’s email format, the NCSC emails include only an initial for each users’ surname.

Full names are recognisable in the email addresses belonging to specialists working at the MoD, as well as at the Cabinet Office, the Nuclear Decommissioning Authority, and the Pensions Regulator.

The primary concern among the affected organizations, which also include numerous private sector users of the Virus Total platform, is the potential for the leaked emails to be targeted in phishing attempts.

The leak includes emails for ministries in Germany, Japan, the United Arab Emirates, Qatar, Lithuania, Israel, Turkey, France, Estonia, Poland, Saudi Arabia, Colombia, the Czech Republic, Egypt, Slovakia and Ukraine.

A spokesperson for Google told Recorded Future News: “We are aware of the unintentional distribution of a small segment of customer group administrator emails and organization names by one of our employees on the VirusTotal platform.

“We removed the list from the platform within an hour of its posting and are looking at our internal processes and technical controls to improve our operations in the future,” they added.

The list groups emails by the enterprise customer accounts they are connected to. It reveals some military personnel are using email providers other than those connected to official domains as part of their threat intelligence work, with personal accounts registered to Gmail, Hotmail, and Yahoo.

Spokespeople for organizations impacted by the leak told Recorded Future News they considered it a low-risk incident.

The Ministry of Defence, which accounts for almost half of the emails associated with the gov.uk domain, said: “We are aware of a data breach from a third party involving the details of MoD employees. None of the data was sensitive and all details have now been removed.”

The National Cyber Security Centre is understood to be aware of the leak and unconcerned about its potential impact.

A spokesperson for the Nuclear Decommissioning Authority (NDA) said: “Employee email addresses may be available in the public domain for a variety of reasons, which is why we provide ongoing training and awareness for staff of the risks associated with phishing emails.”

The Pensions Regulator told Recorded Future News: “We take cyber security extremely seriously and have controls in place to prevent malicious emails from infiltrating our systems.”