Want to keep the TNW Conference vibe going?? Tickets for TNW2022 are available now >>

The heart of tech

This article was published on May 31, 2017

Department of Defense data discovered on unprotected Amazon server

Department of Defense data discovered on unprotected Amazon server
Rachel Kaser
Story by

Rachel Kaser

Internet Culture Writer

Rachel is a writer and former game critic from Central Texas. She enjoys gaming, writing mystery stories, streaming on Twitch, and horseback Rachel is a writer and former game critic from Central Texas. She enjoys gaming, writing mystery stories, streaming on Twitch, and horseback riding. Check her Twitter for curmudgeonly criticisms.

Sensitive government information from an American defense contractor was recently found on an unsecured Amazon server. It was free for anyone to access — no password required.

The information was housed in a publicly-accessible S3 cloud storage “bucket.” Data found in the bucket points to Booz Allen Hamilton (BAH), an intelligence and defense consulting firm. BAH has an $86 million contract from the National Geospatial-Intelligence Agency (NGA), an agency working under the Department of Defense.

The breach was discovered last week by Chris Vickery, a Cyber Risk Analyst for cyber resilience firm UpGuard. Vickery immediately emailed BAH, and then the NGA, to alert them. The NGA secured the information within ten minutes.

UpGuard reports that the information was not encrypted in anyway:

In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level.

According to Gizmodo, no classified information was available on the server, but there were enough credentials to accommodate anyone who wanted to cause mischief. An agency spokesperson said, “NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials.”

via Gizmodo