Classified US Army and NSA data was stored on an unprotected server

The publicly viewable information included material labeled ‘Top Secret.’

Sponsored Links

Brooks Kraft via Getty Images
Brooks Kraft via Getty Images

Earlier this month, researchers at UpGuard reported that US military intelligence gathering data had been stored on a misconfigured Amazon Web Services S3 server that wasn't password protected and was publicly viewable. While the data in that leak appeared to consist entirely of collected public internet posts and news commentary, not private information, the team at UpGuard today reports another US government data leak, this time containing clearly classified information.

This batch of data was discovered by UpGuard Director of Cyber Risk Research Chris Vickery in September and contained information from the US Army Intelligence and Security Command (INSCOM) -- an intelligence gathering command jointly run by the US Army and the National Security Agency (NSA). The data was stored on an Amazon Web Services S3 cloud storage bucket mistakenly configured for public access. Within the accessible repository -- found under the very obviously labeled 'inscom' subdomain -- were 47 viewable files and folders, three of which were able to be downloaded. The largest downloadable file contained a virtual hard drive, which appeared to be used for receiving, transmitting and handling classified data, with files within it marked as "Top Secret" and "NOFORN" -- a classification meaning that no foreign nationals can view the documents regardless of what clearance level they hold. There were also private keys used for accessing distributed intelligence systems and hashed passwords stored in the hard drive.

The other two downloadable files provided instruction for the contents in the file with the virtual hard drive and what appeared to be a training snapshot on how to label and categorize classified information. At least some of the information in the repository was accessed and managed by a third-party INSCOM partner.

"Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data," said UpGuard in its report. Previous UpGuard finds include sensitive data exposed by a defense contractor, a Verizon partner, a political ad strategizing firm hired by the GOP, a voting machine supplier and a major consulting and management company.

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

UpGuard notes that this leak could have been avoided if the server access settings had just been configured to only allow authorized individuals into the repository, but that handing over data management to third-party companies, in this case a defense contractor called Invertix, opens that data up to more mistakes. "If the right hand does not know what the left hand is doing, the entire body will be injured," says UpGuard, "The Defense Department must have full oversight into how their data is handled by external partners, and be able to react quickly should disaster strike."

Engadget was owned by Verizon between June 2015 and September 2021. Engadget's parent company is now Yahoo Inc.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
View All Comments
Classified US Army and NSA data was stored on an unprotected server