Pentagon security fail left massive trove of data on Amazon server - reports
A cybersecurity expert with a track record in exposing data breaches has revealed that the US Defense Department left a massive data collection on an Amazon cloud server, which could have been accessed by anyone with a free account.
The report from Chris Vickery and Dan O’Sullivan of the security firm UpGuard reveals that the Defense Department’s Central Command (CENTCOM) and US Pacific Command (PACOM) were collecting billions of social media posts and storing them on Amazon’s cloud platform.
UpGuard say at least 1.8 billion posts, which were apparently collected as part of intelligence gathering operations, were contained in the exposed data “buckets.” This included content from Facebook, Twitter and news sites. It came from countries around the world, including America, and it was collected over an eight-year period.
The Cyber Risk team's latest disclosure: billions of records exposed from a US military program to harvest social media posts. Read here: https://t.co/Q4GQbeNN4dpic.twitter.com/90QUxOpFiZ
— UpGuard (@UpGuard) November 17, 2017
The files appear to have come from an apparently defunct private-sector government contractor named “VendorX”. The posts are written in many different languages but UpGuard notes there appears to be an emphasis on Arabic, Farsi, and dialects spoken in Afghanistan and Pakistan.
The researchers said the the revelation poses two questions: why did the Pentagon collect the enormous archive of data, and why did it store it on such a vulnerable platform?
UpGuard notes that “the Posse Comitatus Act restricts the military from 'being used as a tool for law enforcement, except in situations of explicit national emergency based on express authorization from Congress,' but as seen in recent years, this separation has been eroded.”
The Defense Department responded to the report in a statement to CNN.
"We determined that the data was accessed via unauthorized means by employing methods to circumvent security protocols,” said Major Josh Jacques, a spokesperson for CENTCOM. "Once alerted to the unauthorized access, CENTCOM implemented additional security measures to prevent unauthorized access.”
The buckets were discovered by Vickery in early September. He made the revelation public on Friday.
The cybersecurity expert has previously exposed several similar data protection gaffes such as when over 9,000 sensitive files containing the personal data of former military, intelligence and government workers were left in public view for months and when up to 14 million Verizon customers’ details were left on an unsecured server.