The Department of Defense contractor Booz Allen Hamilton (BAH) recently placed more than 60,000 sensitive Pentagon files on a publicly accessible server, Gizmodo reports.
The files, comprising approximately 28GB of data, included at least six unencrypted passwords belonging to users with Top Secret Facility Clearance.
The leak was discovered last month by UpGuard cyber risk analyst Chris Vickery.
“In short, information that would ordinary require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level,” UpGuard cyber resilience analyst Dan O’Sullivan wrote in a blog post.
“Unprotected by even a password, the plain text information in the publicly exposed Amazon S3 bucket contained what appear to be the Secure Shell (SSH) keys of a BAH engineer, as well as credentials granting administrative access to at least one data center’s operating system,” O’Sullivan added.
The exposed files contained numerous references to the U.S. National Geospatial-Intelligence Agency (NGA), which recently awarded BAH an $86 million contract to train current and future employees.
An NGA spokesperson confirmed the leak to Gizmodo, but said no classified information was exposed. “NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials,” the spokeperson said.
Dome9 co-founder and CEO Zohar Alon told eSecurity Planet by email that the security of Amazon S3 buckets to prevent acccidental data exposure is often poorly understood and badly implemented by users.
“This type of oversight exemplifies the one-strike law for security in the public cloud,” Alon said. “A single vulnerability or security or process lapse is all it takes to expose highly sensitive private data to the world and get data-jacked. Even with strict security controls in place, breaches such as this still occur due to very basic process failures, leaving extraordinarily sensitive information exposed to the world.”
Databases Exposed Online
According to RedLock’s recently released Public Cloud Infrastructure Security Trends report, 31 percent of databases in public cloud computing environments are open to the Internet. and 82 percent are not encrypted.
Ninety-three percent of resources in public cloud environments don’t restrict outbound traffic at all, and 58 percent of root accounts don’t have multi-factor authentication enabled.
Forty percent of organizations that use public cloud services have inadvertently exposed at least one of those services to the public.
“Public cloud computing environments are incredibly dynamic — our research shows that the average lifespan of a cloud resource is only 127 minutes — and traditional security strategies can’t keep pace,” RedLock CTO Gaurav Kumar said in a statement.