Defense contractor stored intelligence data in Amazon cloud unprotected

On May 24, Chris Vickery, a cyber risk analyst with the security firm UpGuard, discovered a publicly accessible data cache on Amazon Web Services' S3 storage service that contained highly classified intelligence data. The cache was posted to an account linked to defense and intelligence contractor Booz Allen Hamilton. And the files within were connected to the US National Geospatial-Intelligence Agency (NGA), the US military's provider of battlefield satellite and drone surveillance imagery.

Based on domain-registration data tied to the servers linked to the S3 "bucket," the data was apparently tied to Booz Allen and another contractor, Metronome. Also present in the data cache was a Booz Allen Hamilton engineer's remote login (SSH) keys and login credentials for at least one system in the company's data center.

 UpGuard's post suggested the data may have been classified at up to the Top Secret level. A Booz-Allen spokesperson told Ars that the data was not connected to classified systems. However, the credentials included in the store could have provided access to more sensitive data, including code repositories.

In a statement, an NGA spokesperson said that no classified data had been disclosed by the security oversight and that the storage was "not directly connected to classified networks."

Upon finding the cache, Vickery immediately sent an e-mail to Booz Allen Hamilton's chief information security officer but received no response. The next morning, he contacted the NGA. Within nine minutes, access to the storage bucket was cut off.

"NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials," the NGA's spokesperson said in the official statement.

At 8pm ET on May 25, Booz Allen Hamilton's security team finally responded to Vickery and confirmed the breach.

Booz Allen Hamilton has suffered a number of stunning security lapses over the past few years. Most infamous, Edward Snowden was a Booz Allen contractor at the National Security Agency. But another Booz Allen Hamilton employee at the NSA, Hal Martin, was recently arrested for theft of sensitive data. Martin's cache even eclipsed Snowden's leaks in size.

NGA has used Amazon's cloud for a number of unclassified tasks. In 2015, NGA contracted Esri and Lockheed Martin to create a portal to unclassified geospatial intelligence based on Esri's ArcGIS geospatial information system using Amazon's commercial cloud. Amazon Web Services also offers GovCloud, an isolated "region" in AWS for handling sensitive government applications.