Cybersecurity

Booz Allen, NGA probe intel leak

Shutterstock image (by wk1003mike): cloud system fracture. 

Edward Snowden, Hal Martin and now another Booz Allen Hamilton employee could be involved in the leak of sensitive intelligence data -- though in the latest case, it appears it could be accidental.

As Gizmodo first reported, on May 24 Chris Vickery, a cyber risk analyst at UpGuard, discovered a trove of sensitive U.S. government data in an unsecured Amazon Web Services S3 bucket. He determined the data related to the National Geospatial-Intelligence Agency and appeared to have been uploaded by someone at BAH.

"Information that would ordinarily require a Top Secret-level security clearance from the DOD was accessible to anyone looking in the right place," UpGuard colleague Dan O'Sullivan wrote in a blog post. "No hacking was required to gain credentials needed for potentially accessing materials of a high classification level."

O'Sullivan stated that Vickery reported the find to BAH, and when the firm did not respond, he alerted the NGA, which promptly locked down the data.

"NGA confirmed an incident had occurred and that it did not involve access to classified information," the NGA said in a statement.

"NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials. The DevOps (.io) environment is separate from our production and not directly connected to classified networks in order to provide a level of standoff from operations."

NGA added that it will evaluate the situation before determining any course of action.

"It's important to note that a misconfiguration, properly reported and addressed, does not disqualify industry partners from doing business with NGA, though we reserve the right to address any violations or patterns of non-compliance appropriately," the statement continued.

BAH released a statement saying that it "promptly began an investigation into the accessibility of certain security keys in a cloud environment. We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter."

The government has requested that UpGuard preserve the data it downloaded during the discovery, O'Sullivan wrote.

This situation is reminiscent of another case earlier this year when a security researcher at MacKeeper discovered an unsecured Air Force hard drive during a routine audit of publicly connected devices.

That drive contained backup data that included names and Social Security numbers of hundreds of service members and high ranking officers, as well as other sensitive documents, including a file with "Defense Information Systems instructions for encryption key recovery."  

MacKeeper researcher Bob Diachenko told FCW at the time that the device was "part of DOD/USAF network infrastructure, but apparently by some configuration mistake it was put outside the firewall and became visible."

Note: This article was updated on May 31 to clarify that the newly disclosed leak involved sensitive but not classified data. Additionally, the spelling of Dan O'Sullivan's name was corrected.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.