US defense contractor left sensitive files on Amazon server with no password protection
Sensitive files linked to the United States intelligence agency were left on a public Amazon server by one of the nation's top intelligence contractors without password protection, according to a new report.
Up Guard cyber risk analyst Chris Vickery discovered a cache of 60,000 documents from a US military project for the National Geospatial-Intelligence Agency (NGA) left unsecured on Amazon cloud storage server for anyone to access.
Documents included passwords to a US government system containing sensitive information, and the security credentials of a senior employee of Booz Allen Hamilton, one of the country's top defense contractors.
Although there wasn't any top secret file in the cache Vickery discovered, the documents included credentials to log into code repositories that could contain classified files and other credentials.
Roughly 28GB of exposed documents included the private Secure Shell (SSH) keys of a Booz Allen employee, and a half dozen plain text passwords belonging to government contractors with Top Secret Facility Clearance. The exposed data also contained master credentials granting administrative access to a highly-protected Pentagon system.
The sensitive files have since been secured and were likely hidden from those who didn't know where to look for them, but anyone, could have downloaded those sensitive files, potentially allowing access to both highly classified Pentagon material and Booz Allen information.
"Information that would ordinarily require a Top Secret-level security clearance from the DOD was accessible to anyone looking in the right place.
Vickery is the one who, in 2015, reported a huge cache of more than 191 Million US voter records and details of nearly 13 Million MacKeeper users. Both NGA and Booz Allen are investigating the Blunder
"Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment," said a Booz Allen spokesperson.
"We secured those keys, and are