Why exactly is DoD placing TOP SECRET and NOFORN data in an UNCLASSIFIED AWS S3 bucket? Have the rules changed about what systems are authorized to process classified data? This is just unbelievably lazy and stupid:
Within the bucket of data, Vickery found 47 viewable files and three downloadable files, some of which contained information designated as “Top Secret” or “NOFORN,” a security term that stipulates that material should not be shared with foreign allies.
As UpGuard’s report details, Vickery also found “a virtual hard drive used for communications within secure federal IT environments” and “Details concerning the Defense Department’s battlefield intelligence platform” known as DCGS-A and information on Red Disk, “a troubled Defense Department cloud intelligence platform” that integrates into Red Disk.
“Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data,” UpGuard notes.
Earlier this year, the same researcher discovered a set of sensitive files belonging to defense contractor Booz Allen Hamilton left out on a similarly unsecured server.
Of course, the issue isn’t that security firms are digging up these unprotected pockets of classified material, it’s that we have no way of knowing who else is.