Booz Allen, NGA probe intel leak

Defense and intelligence contractor Booz Allen Hamilton and the National Geospatial-Intelligence Agency are investigating how a trove of sensitive program data was apparently uploaded to a public Amazon cloud server.

Shutterstock image (by wk1003mike): cloud system fracture.
 

Edward Snowden, Hal Martin and now another Booz Allen Hamilton employee could be involved in the leak of sensitive intelligence data -- though in the latest case, it appears it could be accidental.

As Gizmodo first reported, on May 24 Chris Vickery, a cyber risk analyst at UpGuard, discovered a trove of sensitive U.S. government data in an unsecured Amazon Web Services S3 bucket. He determined the data related to the National Geospatial-Intelligence Agency and appeared to have been uploaded by someone at BAH.

"Information that would ordinarily require a Top Secret-level security clearance from the DOD was accessible to anyone looking in the right place," UpGuard colleague Dan O'Sullivan wrote in a blog post. "No hacking was required to gain credentials needed for potentially accessing materials of a high classification level."

O'Sullivan stated that Vickery reported the find to BAH, and when the firm did not respond, he alerted the NGA, which promptly locked down the data.

"NGA confirmed an incident had occurred and that it did not involve access to classified information," the NGA said in a statement.

"NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials. The DevOps (.io) environment is separate from our production and not directly connected to classified networks in order to provide a level of standoff from operations."

NGA added that it will evaluate the situation before determining any course of action.

"It's important to note that a misconfiguration, properly reported and addressed, does not disqualify industry partners from doing business with NGA, though we reserve the right to address any violations or patterns of non-compliance appropriately," the statement continued.

BAH released a statement saying that it "promptly began an investigation into the accessibility of certain security keys in a cloud environment. We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter."

The government has requested that UpGuard preserve the data it downloaded during the discovery, O'Sullivan wrote.

This situation is reminiscent of another case earlier this year when a security researcher at MacKeeper discovered an unsecured Air Force hard drive during a routine audit of publicly connected devices.

That drive contained backup data that included names and Social Security numbers of hundreds of service members and high ranking officers, as well as other sensitive documents, including a file with "Defense Information Systems instructions for encryption key recovery."  

MacKeeper researcher Bob Diachenko told FCW at the time that the device was "part of DOD/USAF network infrastructure, but apparently by some configuration mistake it was put outside the firewall and became visible."

Note: This article was updated on May 31 to clarify that the newly disclosed leak involved sensitive but not classified data. Additionally, the spelling of Dan O'Sullivan's name was corrected.