CNET también está disponible en español.

Ir a español

Don't show this again

Security

US military data reportedly left on unsecured Amazon server

Defense contractor Booz Allen Hamilton is linked to an account that contained login credentials for other data repositories.

Open vault door revealing binary code
Chris Clor

Highly sensitive military data about a US intelligence agency project has been discovered on a publicly accessible server without password protection, according to a new report.

UpGuard said Wednesday an analyst with the security firm discovered tens of thousands of documents last week on an Amazon cloud server that are connected to the US National Geospatial-Intelligence Agency (NGA), the US military's combat support agency. Credentials found in the exposed files suggest the data was uploaded to the cloud by defense and intelligence contractor Booz Allen Hamilton, UpGuard reported.

The files included the log-in credentials that could have provided access to more sensitive data, including code repositories, UpGuard said.

Booz Allen has a large presence at US intelligence agencies. The company has a workforce of about 22,600, and 69 percent of its workers hold security clearances with US intelligence agencies, according to company tax filings. Booz Allen generated $1.3 billion in revenue from contracts with US intelligence agencies, including the NSA, in the fiscal year ending in March 2016.

The NGA said it took immediate action to close the potential vulnerability after learning of it last week from UpGuard and through social media.

"NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials," the agency said in a statement. "For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action."

However, Booz Allen Hamilton said the cache of documents contained no classified files and that the credentials couldn't have been used to access classified information.

"This appears to be a case in which an employee unintentionally left a key within an unclassified cloud environment where multiple users can develop software in an open environment," Booz Allen said in a statement. "As soon as we learned of this mistake, we took action to secure the areas and alerted our client and began an investigation."

Booz Allen Hamilton, the same consulting firm that NSA whistle-blower Edward Snowden worked for, is no stranger to reports of leaked data. In 2011, hackers associated with AntiSec claimed to have compromised a server at the consulting firm and released internal data, including about 90,000 military e-mail addresses. In another incident, an NSA contractor working for Booz Allen was arrested last year after the FBI found he had been hiding top secret documents that could have caused "exceptionally grave damage" to the US' national security, according to the Justice Department.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Batteries Not Included: The CNET team reminds us why tech is cool.