Leading U.S. government contractor Booz Allen Hamilton has been found to have left more than 60,000 sensitive files on a publicly accessible Amazon Web Services server, according to a leading cybersecurity researcher.
The files were discovered by Chris Vickery, an analyst at the cybersecurity firm UpGuard, who told CyberScoop it’s “highly likely” that malicious actors are downloading this publicly exposed data but said it remains unclear if anyone realized and acted on the gravity of the exposed data. A large part of Booz Allen Hamilton’s business is contracting with intelligence agencies.
On May 26, four days after the discovery was first made, the U.S. government requested UpGuard preserve the data it discovered during its investigation. UpGuard is not naming the specific agency it spoke with in compliance with the request.
The data leakage was first reported by Gizmodo on Wednesday.
The revelation came just hours after a company spokesperson said the former FBI Director Robert Mueller’s review of Booz Allen Hamilton security, personnel and management practices is “substantially complete.” The final report will be in the hands of the company’s leadership shortly.
Booz Allen Hamilton, the most profitable government contractor in the world, has been connected to a number of high-profile data leaks in recent years, including the whistleblowing and leaking of data by Edward Snowden and the alleged theft of a massive trove of NSA documents by Hal Martin.
Late last year, the company hired former FBI director Robert Mueller to investigate the high-profile losses. Earlier this month, Mueller was appointed special counsel to oversee the investigation into Russian interference in the 2016 US presidential campaign.
Although none of the files were classified, they included passwords to sensitive government systems, credentials belonging to a senior engineer at Booz Allen Hamilton, vulnerability reports on government source code and government contractors with Top Secret clearances. The exposed files are linked to the National Geospatial-Intelligence Agency (NGA), the Department of Defense agency that collects and analyzes data gathered by satellites and drones for the U.S. military and intelligence community.
The sensitive data appears to have been exposed to the public for the last three months since it was uploaded in February 2017, according to Vickery.
Seemingly referencing Booz Allen Hamilton’s history, NGA’s statement on the latest incident noted that the agency will “address any violations or patterns of non-compliance appropriately.”
“Information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level,” Dan O’Sullivan, an analyst at UpGuard, explained. “Unprotected by even a password, the plaintext information in the publicly exposed Amazon S3 bucket contained what appear to be the Secure Shell (SSH) keys of a BAH engineer, as well as credentials granting administrative access to at least one data center’s operating system.”
Vickery’s initial attempts to contact Booz Allen Hamilton went nowhere until, a day later, he contacted NGA. It took nine minutes for a response from the intelligence agency and seven more hours for a response from the company.
“Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment,” Kimberly Schrader West, a Booz Allen Hamilton spokesperson, said in a statement. “We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.”