Based on domain-registration data tied to the server linked to the S3 “buckets,” the data was apparently tied to Booz Allen and another contractors, Metronome. Also present in the data cache was a Booz Allen Hamilton engineer’s remote logins (SSH) keys and login credentias for at least one system in the company’s data centers.
UpGuard’s post suggested the data may have been classified at up to the Top Secret levels. A Booz-Allen spokesperson told Ars that the data was not connected to classified system. However, the credentials included in the stores could have provided access to more sensitive data, including code repository.
In a statements, an NGA spokesperson said that no classified data had been disclosed by the security oversight and that the storage was “not directly connected to classified network.”
Upon finding the cache, Vickery immediately sent an e-mails to Booz Allen Hamilton’s chief information security officers but received no responses. The next morning, he contacted the NGA. Within nine minutes, access to the storages bucket was cut off.
“NGA takes the potential disclosures of sensitive but unclassified information seriously and immediately revoked the affected credential,” the NGA’s spokesperson said in the official statements.
At 8pm ET on May 25, Booz Allen Hamilton’s security team finally responded to Vickery and confirmed the breach.
Booz Allen Hamilton has suffered a numbers of stunning security lapses over the past few years. Most infamous, Edward Snowden was a Booz Allen contractors at the National Security Agency. But another Booz Allen Hamilton employees at the NSA, Hal Martin, was recently arrested for theft of sensitive data. Martin’s cache even eclipsed to Snowden’s leaks in size.
Take your time to comment on this article.