Defence contractor leaves sensitive US intelligence files on an unsecured Amazon server

NGA seal logo

More than 60,000 US Department of Defense files were stored on a publicly accessible Amazon server, it was discovered last week.

Gizmodo reports that the information held on the server included passwords to a US government system containing sensitive information and the security credentials of a lead senior engineer at intelligence and defence contractor Booz Allen Hamilton (BAH). The 28GB or so of data also contained around six unencrypted passwords belonging to government contractors with high level clearance and was accessible by anyone with an internet connection. It also included Secure Shell keys of a BAH engineer and credentials granting administrative access to at least one data center's operating system.

The initial discovery was by cybersecurity firm UpGuard, which has suggested the unprotected information is linked to the US National Geospatial-Intelligence Agency (NGA), which "delivers world-class geospatial intelligence that provides a decisive advantage to policymakers, warfighters, intelligence professionals and first responders".

The owner of the unsecured Amazon S3 bucket remains unknown, but according to UpGuard: "The domain registrations and credentials within the data set point to private-sector defence firm Booz Allen Hamilton (BAH), as well as industry peer Metronome – both of which are known NGA contractors."

The initial discovery was by UpGuard's Chris Vickery who notified BAH's chief information security officer of the data breach on 24 May. Vickery received no response so sent an email to the NGA at 10:33am PST on 25 May and nine minutes later the files were secured. At about 5pm on the same day, BAH responded to Vickery's initial email hours after the public access to the data had been shut down. BAH declared they were investigating the issue.

A spokesperson for BAH told Cloud Pro that: "Both our client and Booz Allen have confirmed that no classified data was available on the impacted unclassified cloud environments. And we have confirmed that none of those usernames and passwords could have been used to access classified information. This appears to be a case in which an employee unintentionally left a key within an unclassified cloud environment where multiple users can develop software in an open environment."

"As soon as we learned of this mistake, we took action to secure the areas and alerted our client and began an investigation. Again, the important point here is that the affected cloud areas were not designed to contain any classified information. Our client has said they've found no evidence that classified data was involved, and so far our forensics have indicated the same. While any incident of this nature is unacceptable and we hope to learn from it, so far we see this event as having limited impact" they added.

The NGA confirmed the leak to Gizmodo but said no classified information had been disclosed: "NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials". The spokesperson highlighted that the Amazon server hosting the data was not directly connected to classified networks.

This is troubling news for BAH, the company where Edward Snowden worked as a contractor for the NSA at the time he became a whistleblower.

Head of product management at Huntsman Security, Piers Wilson, said: "This incident demonstrates yet again how damaging insider threats can be, even when the threat itself could come from carelessness as much as any actual malicious intent. The problem is that most enterprise defences – such as firewalls or antivirus – aren't designed to protect against internal threats. If the analyst who discovered the breach hadn't been so diligent, who knows how long the problem might have continued for?"

"Leaving classified data unprotected on the cloud is a monumental breach and that's why it's so important to have a way of monitoring systems – not only for the organisation's own workers, but for any contractors that are employed. Organisations need to ensure nothing untoward is taking place regarding such sensitive data or that, when it does, it is immediately flagged up to security analysts who are able to take action – without burying those analysts in false alarms."

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.