Defense contractor stored intelligence data in Amazon cloud unprotected [Updated]

Enlarge / NGA headquarters. A trove of top secret data processed by NGA contractor Booz Allen Hamilton was left exposed on a public Amazon cloud instance. (credit: Trevor Paglen)

On May 24, Chris Vickery, a cyber risk analyst with the security firm UpGuard, discovered a publicly accessible data cache on Amazon Web Services’ S3 storage service that contained highly classified intelligence data. The cache was posted to an account linked to defense and intelligence contractor Booz Allen Hamilton. And the files within were connected to the US National Geospatial-Intelligence Agency (NGA), the US military’s provider of battlefield satellite and drone surveillance imagery.

Based on domain-registration data tied to the servers linked to the S3 “bucket,” the data was apparently tied to Booz Allen and another contractor, Metronome. Also present in the data cache was a Booz Allen Hamilton engineer’s remote login (SSH) keys and login credentials for at least one system in the company’s data center.

[Update, 5:10 PM] UpGuard’s post suggested the data may have been classified at up to the Top Secret level. A Booz-Allen spokesperson told Ars that the data was not connected to classified systems. However, the credentials included in the store could have provided access to more sensitive data, including code repositories.

Read 6 remaining paragraphs | Comments


Author: dasuberworm

Standing just over 2 meters and hailing from о́стров Ратма́нова, Dasuberworm is a professional cryptologist, entrepreneur and cage fighter. When he's not breaking cyphers and punching people in the face, Das enjoys receiving ominous DHL packages at one of his many drop sites in SE Asia.

Share This Post On