"Critical data" on a joint program between the U.S. Army and the National Security Agency was available online without a password, cybersecurity company Upguard reports.
Upguard Director of Cyber Risk Research Chris Vickery found the data on an exposed Amazon Web Services cloud storage bucket, which they did not need a password to access, only a URL. In total, 47 files and folders were viewable within the repository, three of which contained classified information and could be downloaded, containing data from U.S. Army Intelligence and Security Command, a military intelligence unit run jointly by the NSA and the Army.
"Among the most compelling downloadable assets revealed from within the exposed bucket is a virtual hard drive used for communications within secure federal IT environments, which, when opened, reveals classified data labeled NOFORN – a restriction indicating a high level of sensitivity, prohibited from being disseminated even to foreign allies," Upguard's Dan O'Sullivan wrote in the report.
"The exposed data also reveals sensitive details concerning the Defense Department's battlefield intelligence platform," and "the Distributed Common Ground System" or DCGS-A, which was an attempt by the intelligence community to build a wide-ranging intelligence network.
"If, then, such a high level of sensitivity is inherent to the data, how could it be exposed?" O'Sullivan asks. "Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible."
He ends with a warning: "If the right hand does not know what the left hand is doing, the entire body will be injured. The Defense Department must have full oversight into how their data is handled by external partners, and be able to react quickly should disaster strike."