UPDATED 02:49 EST / JUNE 01 2017

CLOUD

Defense contractor Booz Allen left sensitive US military data on unsecured AWS server

Sensitive U.S. military data relating to an intelligence agency project has been discovered on an unsecured Amazon Web Services Inc. server.

The data, made up of more than 60,000 files including security credentials and passwords to a government system containing sensitive information, was freely accessible with no password protection in place.

Gizmodo first reported the news Wednesday, saying that the data was found to be stored in a publicly accessible S3 cloud storage “bucket.” The data appears to have been uploaded to the cloud by the defense contractor Booz Allen Hamilton Inc., which has an $86 million contract with the National Geospatial-Intelligence Agency, under Department of Defense.

The breach was first discovered by cyber risk analyst Chris Vickery of the cyber resilience company UpGuard Inc., who alerted Booz Allen to the breach. The data was then secured within 10 minutes of its discovery.

“NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials,” the agency said in a statement. “For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action.”

Booz Allen is one of the largest defense contractors for the U.S. government. The company boasts a workforce of about 22,600, of whom around 69 percent hold security clearances with various U.S. intelligence agencies, according to company tax filings. For its fiscal year ending in March, Booz Allen generated about $1.3 billion in revenues from its U.S. intelligence agency contracts.

UpGuard told Gizmodo that the data was not secured in any way, and said that as a result, information that normally requires top secret-level security clearance was accessible to anyone who knew where to look for an undetermined amount of time.

Booz Allen contradicted these claims in its own statement however, saying that the documents contained no classified files and that the security credentials held within could not have been used to access classified information.

“This appears to be a case in which an employee unintentionally left a key within an unclassified cloud environment where multiple users can develop software in an open environment,” the contractor said in a statement. “As soon as we learned of this mistake, we took action to secure the areas and alerted our client and began an investigation.”

Booz Allen is no stranger to security scandals. In fact, the company previously employed the world’s most infamous whistle-blower, Edward Snowden, to work on National Security Agency projects. Snowden was a Booz Allen employee at the time he fled to Hong Kong, before releasing thousands of files on the U.S. government’s PRISM program that allegedly carried out illegal surveillance of its own citizens.

Previous to that, Booz Allen saw one of its servers breached by the hacker group AntiSec, which promptly released more than 90,000 military email addresses onto the web.

Image: geralt/pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU