A virtual disk image belonging to the NSA -- essentially the contents of a hard drive -- was left exposed on a public Amazon Web Services storage server. The server contained more than 100 gigabytes of data from an Army intelligence project codenamed "Red Disk," ZDNet first reported.
The server was unlisted, but it didn't have a password, which meant that anyone who found it could dig through the government's secret documents. That's exactly what happened in late September when Chris Vickery, director of cyber risk research at security company UpGuard, discovered the server. He alerted the government in October.
It was on the AWS subdomain "inscom," an abbreviation for the US Army Intelligence and Security Command.
"It was as simple as typing in a URL," Vickery said. "This data was top secret classification, as well as files obviously related to US intelligence networks. It's stuff used to target people for death, and it was all available in a URL."
Vickery said it had been so unbelievably easy to access that when he first discovered it, his first thought was, "is this real?"
In the latest incident, the contents on the insecure AWS server are classified as "NOFORN," meaning the information is sensitive enough that even foreign allies are not allowed to see it, UpGuard said. The server contained 47 viewable files, three of which were downloadable and exposed national security data.
Most of the data couldn't be accessed without connecting to the Pentagon's network, the security firm's researchers said.
ZDNet was able to get a look at some of the files, and spotted a connection to Red Disk, a cloud-based intelligence system developed by the Army in 2013. Red Disk, a $93 million program considered a military failure, was designed to help the Pentagon with soldiers on the field collecting classified reports, drone footage and satellite images. The data all belonged to INSCOM, a division of both the Army and the NSA.
"Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser," UpGuard said in a blog post.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
iHate: CNET looks at how intolerance is taking over the internet.