DOD Contractor API Flaw Exposes Military Course Data, Service Member Records
AI-generated from multiple sources. Verify before acting on this reporting.
WASHINGTON — A security vulnerability in an API managed by a Department of Defense contractor exposed sensitive military course data and service member records, according to findings released Tuesday.
Schemata, a defense contractor providing digital learning infrastructure, was identified as the entity responsible for the compromised system. The breach was discovered during a security testing project known as Strix, which flagged the exposure on May 6, 2026.
The vulnerability stemmed from API endpoints that lacked meaningful authorization checks. Additionally, tenant boundaries were not properly enforced, allowing unauthorized access to data across different organizational segments. The flaw permitted access to information that should have been restricted to specific users or departments.
The exposed data included details regarding military training courses and personal records of service members. While the specific volume of records accessed has not been disclosed, the nature of the data raises concerns regarding the privacy and security of military personnel.
Schemata has acknowledged the issue and stated that remediation efforts are underway. The contractor is working to implement stricter authorization protocols and enforce proper tenant isolation to prevent future occurrences. The Department of Defense has been notified of the breach and is coordinating with Schemata to assess the full scope of the incident.
Security experts note that API vulnerabilities are a growing concern in the defense sector, where digital infrastructure is increasingly interconnected. The incident highlights the importance of robust access controls and regular security audits in systems handling sensitive government data.
The Strix project, which identified the flaw, is part of a broader initiative to test the security posture of defense-related systems. The project aims to identify and remediate vulnerabilities before they can be exploited by malicious actors.
Questions remain regarding the duration of the exposure and whether any unauthorized parties accessed the data during the vulnerability window. Schemata has not confirmed if any data was exfiltrated, only that the system was accessible without proper authentication.
The Department of Defense has not yet issued a public statement regarding the incident. Officials are expected to provide more details as the investigation continues. The breach serves as a reminder of the ongoing challenges in securing digital systems that support national defense operations.
As of Tuesday evening, no further details have been released regarding the specific types of service member records exposed or the potential impact on ongoing military operations. The situation remains under review as Schemata works to secure the affected systems.