Unprotected US Military Data Found On Amazon Web Server, Contractor Calls It 'Unintentional Mistake'

The servers of Amazon Web Services (AWS), a subsidiary of Amazon.com are used by many corporations, governments and individuals for cloud computing. But, in a surprise turn of events, sensitive US military data was found exposed on the server — around 60,000 sensitive US military files publicly accessible, the BBC reported Thursday citing a security researcher.

Read: Ashley Madison Hack: New Data Dump Targets Company Founder; Over 15K Accounts Linked To Federal And Military Officials

The files containing passwords for U.S. government systems and security credentials of a software engineer working under defense contractor Booz Allen Hamilton were discovered by cyber resilience firm UpGuard analyst, Chris Vickery. They were connected to a project for the U.S. National Geo-Spatial Agency, which works on satellite and drone-based surveillance. Vickery said finding the data wasn’t difficult as it was discovered during a routine search of the Amazon Web Service’s simple storage services Simple Storage Service buckets.

"I wasn't very surprised at finding yet another publicly exposed bucket until I realized the data it contained was related to a government project," Vickery said. He first emailed Booz Allen Hamilton to inform them of the leak on May 24 and, after no response from them, he emailed the National Geo-Spatial Agency on May 25.

The contractor denied any classified data was at risk because of the data leak.

"We have confirmed that none of those usernames and passwords could have been used to access classified information," the company told the BBC.

Read: Amazon Web Services Experiences Outages Sunday Morning, Causing Disruptions On Netflix, Tinder, Airbnb And More

The company stated the leak had occurred because of an unintentional mistake. “As soon as we learned of this mistake, we took action to secure the areas and alerted our client and began an investigation. Our client has said they've found no evidence that classified data was involved, and so far our forensics have indicated the same,” the company said.

However, Vickery stated the data was taken off in nine minutes as soon as Vickery sent the email marked ‘escalated’. Furthermore, UpGuard stated it had been asked to preserve all the data downloaded by Vickery, but did not reveal, which agency had made the request.

The finding is peculiar, since Amazon Web Service stores public data and U.S. military data is generally stored on the U.S. government’s servers. The logical surmise would be this might be data given to private contractors working for the government, but still the lack of security protocols is surprising, since surveillance data, if exposed, could endanger the military’s operations abroad.

The reliance on Amazon Web Service too seems to be lagging in maintaining protocol since the servers have gone down twice in the past two years causing massive outages and disrupting services like Netflix and Airbnb.