An unnamed employee of federal contracting giant Booz Allen Hamilton temporarily left sensitive government passwords exposed online last week, raising questions about the McLean company’s cybersecurity practices after drawing scrutiny for the way top secret data was mishandled in two earlier, high-profile cases.
The leak was discovered when an unaffiliated cyber analyst named Chris Vickery happened upon the passwords while trying to guess Internet addresses that might be used in certain Web servers. His company Upguard published his findings in a Wednesday blog post.
Booz Allen Hamilton and its government customer, the National Geospatial-Intelligence Agency, both said that the passwords could not have been used to access classified information. The agency says it invalidated the affected passwords immediately after being notified of the incident.
A Booz Allen Hamilton spokesman described the incident as an isolated mistake made by one employee. “It appears that this is an individual’s mistake,” spokesman James Fisher said. “While any incident of this nature is unacceptable and we hope to learn from it, so far we see this event as having limited impact.”
Fisher declined to name the employee, citing personnel rules, saying only the company is “taking appropriate action.”
Cybersecurity experts decried the leak, arguing that leaving government passwords unprotected online could give hackers a point of entry to other networks, even if they didn’t provide direct access to classified databases. If an outsider like Vickery could find the information by trying random Web addresses, a hacker could just as easily do the same.
“It’s just straight up sloppiness, laziness, and really not adhering to policies,” said Bob Wandell, vice president of services at Nehemiah Security, a Tysons-based cybersecurity company.
The passwords in question were stored on an Amazon cloud server, which organizations use to host and share projects. Individuals and organizations can rent storage space online and share access through common Web addresses, or URLs, similar to filesharing services such as Dropbox and Google Drive. (Amazon founder Jeffrey P. Bezos owns The Washington Post.)
“Hackers are constantly scanning the whole cloud environment … they do this repeatedly just to wait for someone to make a mistake like this,” said Tim Prendergast, a cloud security expert with cybersecurity firm Evident.io. “I think we’re going to see more of these over time as cloud computing continues to accelerate its growth.”
The findings are the latest blow for Booz Allen Hamilton, which has come under scrutiny in recent years after employees leaked highly classified information to the public.
Edward Snowden, whose 2013 disclosures of classified National Security Agency information upended a number of government surveillance programs, was a Booz Allen Hamilton contractor. More recently, a longtime Booz Allen Hamilton employee named Harold Martin III was charged with hoarding a massive cache of classified NSA data in his home and car.
The leaks brought to light Wednesday appear to be much less consequential. It’s possible the employee wanted to avoid the hassle of frequent log-ins while working on a project.
“They probably did it for convenience,” Vickery said. “Thus far we have no reason to believe it was a purposeful leak.”
That Amazon’s cloud server was being used to service a contract with a U.S. intelligence agency is indicative of a broader shift happening across the government, as data and applications move off individual computers and internal networks and into less costly and more adaptable cloud-based systems.
Capitalizing on that shift within the government is a key component of Booz Allen Hamilton’s business strategy.