Top-secret data belonging to the United States Army Intelligence and Security Command, a joint U.S. Army and National Security Agency Defense Department command that gathers intelligence data, has been found exposed and open to the public.

It was yet another case of a misconfigured Amazon Web Services S3 storage instance. The discovery was made by Chris Vickery, director of cyber risk research at UpGuard Inc., who detailed in a blog post that the exposed S3 instance he stumbled upon in late September.

It included more than  100 gigabytes of data, including details of the top-secret Distributed Common Ground System-Army, an intelligence distribution platform that includes a cloud-based spying program called “Red Disk.”

Red Disk is said to have been developed to deliver intelligence to troops with tablets and laptop computers on the ground in Afghanistan via the cloud but was never fully deployed.

Other data found in the AWS S3 instance included an Open Virtual Appliance file, which contained a virtual hard drive and configuration data for a Linux-based virtual machine that could have been used by hackers to obtain access to the Pentagon. “While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems—an intrusion that malicious actors could have attempted had they found this bucket,” Vickery said.

The exposure of the data on a misconfigured S3 instance is not the first time a company or organization has managed to expose private data to the public and it likely won’t be the last. Previous examples of private data being exposed to the public on AWS include Accenture Plc., Verizon Communications Inc. and the U.S. military contractor TigerSwan. Amazon itself announced earlier this month a range of security features to prevent these “misconfigurations” occurring in the future.

Those “misconfigurations” ultimately occurred due to inept staff and a failure of those utilizing AWS to secure the data they uploaded. Carl Wright, chief revenue officer at AttackIQ Inc., told SiliconANGLE that more needs to be done at an enterprise level.

“Over the past month we have seen a number of enterprise organizations fail because they inadvertently did not configure existing security controls properly,” Wright said. “This is called a protection failure and indicates that these organizations are doing little to no testing to validate that existing security controls are working properly.”

“The cost to validate your security controls is comparably infinitesimal compared to the cost of a data breach,” Wright added. “It is a disturbing state of IT and security management when the attackers are routinely able to find protection failures before corporate or government security teams.”

Photo: rudiriet/Flickr