An “unintentional mistake” has been blamed by contractor Booz Allen Hamilton (BAH) for more than 60,000 US Department of Defense files that were left publicly exposed in an Amazon S3 repository.
Noted security researcher Chris Vickery, now a part of UpGuard’s Cyber Resilience Team, discovered the files, said to be related to a US National Geospatial-Intelligence Agency (NGA) project.
The agency typically handles satellite and drone surveillance imagery.
“In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level,” wrote his colleague, cyber resilience analyst, Dan O’Sullivan.
“Unprotected by even a password, the plaintext information in the publicly exposed Amazon S3 bucket contained what appear to be the Secure Shell (SSH) keys of a BAH engineer, as well as credentials granting administrative access to at least one data center’s operating system.”
However, in a statement sent to the BBC, Booz Allen Hamilton claimed no classified data was stored in the S3 bucket.
"We have confirmed that none of those usernames and passwords could have been used to access classified information,” it noted.
"Our client has said they've found no evidence that classified data was involved, and so far our forensics have indicated the same.”
However, the speed with which the NGA responded may indicate the seriousness of the incident.
After trying and failing to get a response from Booz Allen Hamilton’s Chief Information Security Officer (CISO), Vickery notified the DoD agency and within nine minutes the repository was apparently secured.
This isn’t the first time BAH’s security processes have been found wanting.
Previous employees at the contractor include Edward Snowden and Harold Martin; the latter indicted earlier this year for allegedly hoarding top secret documents over a 20-year period.