Sensitive data belonging to the U.S. National Geospatial-Intelligence Agency (NGA) was left exposed on the Internet by defense and intelligence contractor Booz Allen Hamilton, a security firm revealed on Wednesday.
The NGA is a combat support and intelligence agency working under the Department of Defense. The geospatial intelligence provided by the organization is used by policymakers, the military, intelligence professionals and first responders.
Chris Vickery, a researcher who in the past identified billions of records exposed online due to weak configurations, discovered an unprotected Amazon S3 bucket containing tens of thousands of potentially sensitive files. Accessing the files did not require a password and all data was stored in clear text.
The data, belonging to the NGA, was connected – based on domain registration details and credentials – to Booz Allen Hamilton and another one of the agency’s contractors, Metronome. The files, some of which were marked as “top secret,” included military information, SSH keys belonging to a Booz Allen engineer, and admin credentials for a system housed by one of the contractor’s data centers.
Vickery, who recently joined cyber resilience firm UpGuard as a risk analyst, found the files on May 22 and notified Booz Allen two days later. After receiving no response from the company, Vickery alerted the NGA directly on May 25, and the exposed repository was secured within minutes. An unnamed government regulatory agency has asked UpGuard to hold on to the data.
The NGA said it immediately revoked affected credentials, but described the exposed files as “sensitive but unclassified information.” Booz Allen also claimed there was no evidence that any classified information or systems were exposed.
This is not the first time Vickery has discovered a data leak involving Booz Allen Hamilton. In late 2016, he reported that one of the company’s subcontractors, Potomac Healthcare Solutions, had leaked military healthcare worker data.
The intelligence contractor itself was involved in several security incidents in the past years, including a 2011 attack by Anonymous hacktivists, the Edward Snowden leaks, and the alleged theft of classified material by Harold Thomas Martin III.
The findings of Vickery and other researchers over the past years have demonstrated the risks posed by misconfigured AWS S3 buckets, but many organizations still fail to protect data stored in the cloud.
“AWS S3 is a very popular cloud based object storage service, and a staple of most AWS environments from the earliest days of the cloud service. Yet security of S3 buckets to prevent accidental data exposure is often poorly understood and badly implemented by their users, even someone as technically savvy as an engineer with one of the world’s leading defense contractors,” explained Zohar Alon, Co-Founder and CEO of Dome9.
“This type of oversight exemplifies the one-strike law for security in the public cloud. A single vulnerability, or security, or process lapse is all it takes to expose highly sensitive private data to the world and get data-jacked. Even with strict security controls in place, breaches such as this still occur due to very basic process failures, leaving extraordinarily sensitive information exposed to the world,” Alon added.