So while I was busy trying to get from there to here, UpGuard’s new site, Cyber Resilience, released its first blockbuster report:
In what constitutes the latest in a series of blows to the US intelligence community’s reputation for stringent information security, UpGuard’s Cyber Resilience Team can now reveal the discovery by Cyber Risk Analyst Chris Vickery of a publicly exposed file repository containing highly sensitive US military data. Analysis of the exposed information suggests the overall project is related to the US National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD). While the precise identity of the owner of the unsecured Amazon Web Services “S3” bucket on which the data set was hosted remains murky, domain registrations and credentials within the data set point to private-sector defense firm Booz Allen Hamilton (BAH), as well as industry peer Metronome — both of which are known NGA contractors.
Read more on CyberResilience.io. Booz Allen Hamilton may sound familiar to you from former breaches like AntiSec’s attack on them in 2011. Or maybe you’re recalling headlines in 2013 that pointed out that Edward Snowden had worked for the NSA through Booz Allen Hamilton. Then again, maybe you’re recalling that in 2016, another BAH employee who was contracted to work at the National Security Agency was arrested for stealing classified data.
Whatever you’re thinking of, this cannot possibly be okay for a high-level defense contractor to continue having such troubling data security incidents. So determining/confirming whether BAH actually owns the unsecured AWS bucket that Vickery found is very important. The firm does not appear to have issued any press release yet that I’ve been able to find, so this post may be updated as more information becomes available.