This site may earn affiliate commissions from the links on this page. Terms of apply.

NGA

But over four years ago, Edward Snowden blew the lid off some of the NSA'south nigh powerful programs and tools for monitoring global communications around the earth. In the aftermath of that intelligence debacle — and any you recollect of Edward Snowden and his deportment, his releases certainly qualified as a debacle for his employer and its reputation — one would accept expected Booz Allen Hamilton to take dramatically overhauled its security procedures, tightened its policies, and taken some basic steps to seal its Titanic-sized leaks. But whatever BAH did to meliorate security, it wasn't enough to foreclose a dissimilar contractor, Harold Martin Iii, from stealing an estimated 50TB of data.

To exist clear, equally of this writing, no proof has been presented that Martin actually disseminated whatsoever of this information, and the regime has non charged that Martin leaked information to the press or gave it to anyone. Even so, information technology'southward not a great situation for Booz Allen Hamilton. And at present, merely 8 short months afterward, they've got some other debacle on their hands.

On May 24, Chris Vickery, a run a risk annotator with UpGuard, found an enormous public repository of federal data that contained "highly sensitive" military information as well. Analysis of the files showed that they were related to the U.s. National Geospatial-Intelligence Agency (NGA). This might not seem like much of a leak compared with, say, undercover regime contacts or juicy national spy programs, but geospatial intelligence (GEOINT) is disquisitional to almost every attribute of modern intelligence gathering. Concerned virtually whether or non Democratic people's republic of korea is moving portable missile launchers into launch positions? That's GEOINT. Concerned about a buildup of troops on the Iranian border? That'southward GEOINT.

The exact specifications and capabilities of Usa spy satellites are kept classified. But some of those capabilities can be determined if you take the data sets in question. If, for example, you tin read the license plates in various spy satellite images, you know the state that took the photos has cameras that tin resolve down to that level of detail. As Cyberresilience.io points out, the NGA is where the US houses its data on N Korean missile silos or battlefield imaging in Afghanistan. Information technology's not the sort of data you want enemies to accept admission to.

Image by Cyberresilience.io

The data, which was housed in an Amazon S3 web service "bucket," wasn't straight registered to Booz Allen Hamilton, but signs apparently point in that direction. Hither's how Cyberresilience.io describes what happened:

In short, information that would ordinarily require a Summit Undercover-level security clearance from the DoD was accessible to anyone looking in the correct identify; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level. Unprotected by even a password, the plaintext information in the publicly exposed Amazon S3 saucepan independent what appear to exist the Secure Crush (SSH) keys of a BAH engineer, as well every bit credentials granting administrative access to at to the lowest degree one data center's operating system.

Subsequently receiving no response from BAH to his initial notification, Vickery escalated his notification attempts past sending an electronic mail to the NGA at 10:33 AM PST, Th, May 25th. Nine minutes afterward, at 10:42 AM PST, the file repository was secured — an impressively speedy response fourth dimension from a major US intelligence agency.

Information technology'due south not a good look for 1 of America'southward top defense contractors. And it's bound to raise further questions almost what, exactly, BAH is doing — or not doing — to lock down national security data. Initially, UpGuard claimed that the data found in the insecure repository was classified equally Top Clandestine. BAH has told Ars Technica that while the information wasn't straight connected to classified systems, credentials included within the store could have been used to access more sensitive material.

Now read: 19 ways to stay bearding and protect your online privacy