Sensitive government information from an American defense contractor was recently found on an unsecured Amazon server. It was free for anyone to access — no password required.
The information was housed in a publicly-accessible S3 cloud storage “bucket.” Data found in the bucket points to Booz Allen Hamilton (BAH), an intelligence and defense consulting firm. BAH has an $86 million contract from the National Geospatial-Intelligence Agency (NGA), an agency working under the Department of Defense.
The breach was discovered last week by Chris Vickery, a Cyber Risk Analyst for cyber resilience firm UpGuard. Vickery immediately emailed BAH, and then the NGA, to alert them. The NGA secured the information within ten minutes.
UpGuard reports that the information was not encrypted in anyway:
In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level.
According to Gizmodo, no classified information was available on the server, but there were enough credentials to accommodate anyone who wanted to cause mischief. An agency spokesperson said, “NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials.”