© AP Photo/ Martial Trezzin
A cybersecurity firm has reported the discovery of 60,000 files from a US intelligence agency left on an unsecured public server with absolutely zero protection, not even a password.
The files were related to a military project being undertaken by the National Geospatial-Intelligence Agency (NGA), which uploaded the files to an Amazon cloud storage server that anyone could access.
Chris Vickery, a risk analyst with cyber resilience firm UpGuard, did just that. Among the files were sensitive information and even the security credentials of a senior employee with defense contractor Booz Allen Hamilton (BAH). There were also the login credentials needed to access code repositories that might contain classified information among the files. Vickery said that the information appeared to have been accidentally leaked by a BAH employee.
Perhaps the crown jewel of the 28 gigabyte leak? Master credentials that would grant administrative access to a high-security Pentagon system.
“Information that would ordinarily require a Top Secret-level security clearance from the DOD was accessible to anyone looking in the right place,” UpGuard’s Dan O’Sullivan wrote in a blog post about the leak. “No hacking was required to gain credentials needed for potentially accessing materials of a high classification level.”
The files have since been secured, but anyone who found them before Vickery could have downloaded the files and used them to access NGA, Booz Allen Hamilton or Pentagon data.
“In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level,” Vickery said on Wednesday.
The NGA has gone into damage control mode, issuing a statement where they claimed to have begun an investigation into the leak. “We immediately revoked the affected credentials when we first learned of the potential vulnerability,” the Wednesday statement read.
“NGA assesses its cyber security protections and procedures constantly with all of its industry partners. For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action.”
Booz Allen is conducting their own investigation, a company spokesman told Gizmodo. “Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment. We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.”
The NGA is the intelligence and combat-support agency that collects intelligence through geospatial imaging, social media georeferencing, and data analysis, earning them the nickname of the “Pentagon’s mapmakers.”
BAH enjoys an $86 million contract with the NGA. The contract was for the consultant to provide “integrated learning solutions and enabling functions through learning portfolio and performance management, registrar services and learning outreach, and faculty development” to the NGA.
Their reputation suffered a catastrophic blow in 2013 when BAH employee and NSA contractor Edward Snowden leaked highly classified material. Another BAH employee, Harold Martin III, was arrested and charged with espionage when he was found to be in possession of over 50 terabytes of classified data in 2016.
“Obviously, Booz Allen is a large company and a well-respected defense contractor,” said national security lawyer Mark Zaid to Gizmodo. “And none of these cases are necessarily related to one another. But it still raises some real serious concerns about what’s going on with Booz Allen’s security protocols.”/p>
This is the second time in recent months that sensitive US information was left online for anyone to see. In March, a cache of Air Force files that included the social security numbers of officers and classified information from internal investigations was found unsecured online.