Secret US Army Data Possibly Found on Public Server

Confidential US Army data may have been left online for anyone to view.

The trove of data was stored on an Amazon cloud server, and apparently configured for public access, according to Chris Vickery, a security researcher with UpGuard. Some of the exposed files were marked as Top Secret, and appeared to belong to US Army Intelligence and Security Command (INSCOM), UpGuard said in a Tuesday blog post.

PCMag hasn’t been able to independently confirm the breach. The US Army and INSCOM didn’t immediately respond for a request for comment.

Vickery found the data on an Amazon Web Services S3 cloud storage bucket in September; all you needed to see it was the URL.

There was information on an Army program that’s designed to supply soldiers with real-time intelligence on the battlefield, as well as a virtual hard drive, and a Linux-based operating system that may have been designed to send and receive classified information. Neither the hard drive nor the OS were fully accessible unless connected to Pentagon systems, but the data certainly would have piqued the interest of foreign spies, UpGuard said.

INSCOM not only conducts intelligence opertions for the US Army, but it also partners with the US National Security Agency.

Why the data was stored on a public cloud server isn’t clear. But the information it carried was probably made available to a US defense contractor. UpGuard found the data contained private keys belonging to employees from Invertix, which is now owned by Altamira, a US government IT provider.

It isn’t the first time UpGuard has found sensitive-looking information exposed over a misconfigured Amazon cloud server. The US Defense Department, Verizon, and Dow Jones recently made similar mistakes by failing to make private data stored on Amazon Web Services.

Changing the permission settings to the AWS server can fix the problem. In the US Army case, Vickery said the data has been secured, but the responsible authorities haven’t commented about the potential leak. “It’s usually a one-way street with those types of entities. You don’t hear back much, if anything,” he said.