A cache of highly sensitive US government intelligence data was found freely exposed on a public Amazon server. Around 28GB of the Pentagon's classified data tied to a military project that contained unencrypted passwords and security credentials belonging to government contractors with "top secret" security clearance was found leaking on a publicly accessible Amazon server.
The data came from an account linked to Booz Allen Hamilton, the very same US contractor that also briefly employed Edward Snowden. The data exposed contained files connected to the US National Geospatial-Intelligence Agency (NGA) – a highly secretive intelligence organisation that many refer to as the Pentagon's "mapmakers".
The data was first discovered by security researcher Chris Vickery. The researcher, who works for security firm UpGuard, notified Booz Allen Hamilton's Chief Information Security Officer (CISO) of the potential breach on 24 May but received no response. He then contacted the NGA the next day and within 10 minutes of having sent an email, the exposed data was secured. UpGuard security researcher called this "an impressively speedy response time from a major US intelligence agency," in a blog post.
"Information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level," UpGuard said.
NGA and Booz Allen confirmed the leak
The NGA confirmed the leak, stressing that no classified data was disclosed. "NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials," a spokesperson for the agency told Gizmodo, adding that the Amazon server where the data was found was "not directly connected to classified networks," the spokesperson noted.
"Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment," a Booz Allen spokesman said. "We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter."
The firm told ArsTechnica that the data was not connected to classified systems.
What was leaked?
According to UpGuard, around 60,000 of the Pentagon's files were leaked, which included several unencrypted passwords of US government contractors.
The leaked data included security credentials of a Booz Allen IT engineer as well as the master keys to the operating system of a data centre. The leaked files also contained credentials used to access a protected Pentagon system called the GEOAxIS.
UpGuard said it received an "explicit government request" to store the data downloaded as part of this discovery. The firm is complying with the request until it is "cleared to securely and permanently delete this data".
The leak is likely to serve as yet another blow to the US intelligence community. The past year has seen American intelligence agencies such as the CIA and the NSA become the victim to high-profile leaks, highlighting a troubling trend of security gaffs.
It remains unclear as to how long the Pentagon's sensitive data remained exposed. Such leaks can pose as major threats to national security, especially given how these leaks are essentially ripe for the picking of nation-state hackers, such as those affiliated with Russia, China and North Korea.