Booz Allen, NGA probe intel leak

Shutterstock image (by wk1003mike): cloud system fracture. 

Edward Snowden, Hal Martin and now another Booz Allen Hamilton employee could be involved in the leak of sensitive intelligence data -- though in the latest case, it appears it could be accidental.

As Gizmodo first reported, on May 24 Chris Vickery, a cyber risk analyst at UpGuard, discovered a trove of sensitive U.S. government data in an unsecured Amazon Web Services S3 bucket. He determined the data related to the National Geospatial-Intelligence Agency and appeared to have been uploaded by someone at BAH.

"Information that would ordinarily require a Top Secret-level security clearance from the DOD was accessible to anyone looking in the right place," UpGuard colleague Dan O'Sullivan wrote in a blog post. "No hacking was required to gain credentials needed for potentially accessing materials of a high classification level."

O'Sullivan stated that Vickery reported the find to BAH, and when the firm did not respond, he alerted the NGA, which promptly locked down the data.

"NGA confirmed an incident had occurred and that it did not involve access to classified information," the NGA said in a statement.

"NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials. The DevOps (.io) environment is separate from our production and not directly connected to classified networks in order to provide a level of standoff from operations."

NGA added that it will evaluate the situation before determining any course of action.

"It's important to note that a misconfiguration, properly reported and addressed, does not disqualify industry partners from doing business with NGA, though we reserve the right to address any violations or patterns of non-compliance appropriately," the statement continued.

BAH released a statement saying that it "promptly began an investigation into the accessibility of certain security keys in a cloud environment. We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter."

The government has requested that UpGuard preserve the data it downloaded during the discovery, O'Sullivan wrote.

This situation is reminiscent of another case earlier this year when a security researcher at MacKeeper discovered an unsecured Air Force hard drive during a routine audit of publicly connected devices.

That drive contained backup data that included names and Social Security numbers of hundreds of service members and high ranking officers, as well as other sensitive documents, including a file with "Defense Information Systems instructions for encryption key recovery."  

MacKeeper researcher Bob Diachenko told FCW at the time that the device was "part of DOD/USAF network infrastructure, but apparently by some configuration mistake it was put outside the firewall and became visible."

Note: This article was updated on May 31 to clarify that the newly disclosed leak involved sensitive but not classified data. Additionally, the spelling of Dan O'Sullivan's name was corrected.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.