On May 24, Chris Vickery, a cyber risk analyst with the security firm UpGuard, discovered a publicly accessible data cache on Amazon Web Services’ S3 storage service that contained highly classified intelligence data. The files, which were connected to the US National Geospatial-Intelligence Agency (NGA)—the US military’s provider of battlefield satellite and drone surveillance imagery—were posted to an account linked to defense and intelligence contractor Booz Allen Hamilton.
Based on domain-registration data tied to the servers linked to the S3 “bucket,” the data was apparently tied to Booz Allen and another contractor, Metronome. Also present in the data cache was a Booz Allen Hamilton engineer’s remote login (SSH) keys, as well as login credentials for at least one system in the company’s data center.
[Update, 5:10 PM] UpGuard’s post suggested the data may have been classified at up to the Top Secret level. However, a Booz-Allen spokesperson told Ars that the data was not connected to classified systems. However, the credentials included in the store could have provided access to more sensitive data, including code repositories.
In a statement, an NGA spokesperson said that no classified data had been disclosed by the security oversight, and that the storage was “not directly connected to classified networks.”
Vickery immediately sent an e-mail to Booz Allen Hamilton’s chief information security officer but received no response. The next morning, he contacted the NGA and within nine minutes, access to the storage bucket was cut off.
“NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials,” the NGA’s spokesperson said in the official statement.
At 8PM Eastern time on May 25, Booz Allen Hamilton’s security…