According a security researcher, over 60,000 unprotected US military files were found on a public Amazon web server.

The Finding

A security researcher, Chris Vickery, has found over 60,000 unprotected US military files on an Amazon web server. The contents included passwords for government systems, as well as Defense contractor, (BAH) Booz Allen Hamilton’s security credentials. The data is reportedly connected to the US’s National Geospatial-Intelligence Agency- an agency which handles “satellite and drone surveillance imagery.”

Chris Vickery told BBC that he found the files during “a routine search for publically accessible Amazon [simple storage service] buckets.”

“I wasn’t very surprised at finding yet another publicly exposed bucket until I realized the data it contained was related to a government project.” Vickery said he reported his findings to the chief security officer at BAH on the 24th of May.

“When I hadn’t heard back from him by the following day, I forwarded the same notification email to the NGA. The email went out at 10:33 PST (17.33 GMT) on 25 May. The bucket was secured at 10:42 PST. The fact that it was closed off nine minutes after I sent the ‘escalated’ email would be a very big coincidence indeed.” A government agency responded on May 26th asking Upguard, where Vickery works, and asked them to preserve the files that have been found. The agency also asked that they remain anonymous to the public.

BAH said in a statement that no classified information was “stored on the server.”

“We have confirmed that none of those usernames and passwords could have been used to access classified information,” the contractor added.

BAH on the Incident

BAH said that this was “an unintentional mistake.”

“As soon as we learned of this mistake, we took action to secure the areas and alerted our client and began an investigation,” they said.

“Our client has said they’ve found no evidence that classified data was involved and so far our forensics have indicated the same.”