A publicly exposed repository of sensitive military data related to the National Geospatial-Intelligence Agency was discovered by Upguard’s Cyber Risk Analyst Chris Vickery, the company announced on May 31.
“Analysis of the exposed information suggests the overall project is related to the U.S. National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD),” UpGuard Cyber Resilience Analyst Dan O’Sullivan wrote in a blog post about the discovery.
The data was discovered in a publicly accessible Amazon Web Services S3 bucket, which Vickery was reportedly able to find without hacking or use of a password. Analysis of the data suggested that it could belong to contractor Booz Allen Hamilton, which has previously had issues of employees Edward Snowden and Harold Thomas Martin willfully leaking government information.
According to the blog post, though Vickery reached out to Booz Allen Hamilton’s chief information security officer twice in late May, the file repository was only secured after the second notification, and Vickery received a “belated” response stating that the company was looking into the discovery.
“Vendor risk is as real as any internal risk, if the vendor is relied upon in any serious way,” O’Sullivan wrote. “While it is not every day that such a risk might affect questions about international stability in East Asia, or warfare in the Middle East, the lessons of such failings of cyber resilience are relevant to any IT operation.”
