Earlier this month, researchers at UpGuard reported that US military intelligence gathering data had been stored on a misconfigured Amazon Web Services S3 server that wasn't password protected and was publicly viewable. While the data in that leak appeared to consist entirely of collected public internet posts and news commentary, not private information, the team at UpGuard today reports another US government data leak, this time containing clearly classified information.
This batch of data was discovered by UpGuard Director of Cyber Risk Research Chris Vickery in September and contained information from the US Army Intelligence and Security Command (INSCOM) -- an intelligence gathering command jointly run by the US Army and the National Security Agency (NSA). The data was stored on an Amazon Web Services S3 cloud storage bucket mistakenly configured for public access. Within the accessible repository -- found under the very obviously labeled 'inscom' subdomain -- were 47 viewable files and folders, three of which were able to be downloaded. The largest downloadable file contained a virtual hard drive, which appeared to be used for receiving, transmitting and handling classified data, with files within it marked as "Top Secret" and "NOFORN" -- a classification meaning that no foreign nationals can view the documents regardless of what clearance level they hold. There were also private keys used for accessing distributed intelligence systems and hashed passwords stored in the hard drive.
The other two downloadable files provided instruction for the contents in the file with the virtual hard drive and what appeared to be a training snapshot on how to label and categorize classified information. At least some of the information in the repository was accessed and managed by a third-party INSCOM partner.
"Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data," said UpGuard in its report. Previous UpGuard finds include sensitive data exposed by a defense contractor, a Verizon partner, a political ad strategizing firm hired by the GOP, a voting machine supplier and a major consulting and management company.
UpGuard notes that this leak could have been avoided if the server access settings had just been configured to only allow authorized individuals into the repository, but that handing over data management to third-party companies, in this case a defense contractor called Invertix, opens that data up to more mistakes. "If the right hand does not know what the left hand is doing, the entire body will be injured," says UpGuard, "The Defense Department must have full oversight into how their data is handled by external partners, and be able to react quickly should disaster strike."