About 28GB of sensitive US intelligence data was discovered on a publicly-accessible Amazon Web Services\u2019 S3 storage bucket. The cache, containing over 60,000 files, was linked to defense and intelligence contractor Booz Allen Hamilton, which was working on a project for the US National Geospatial-Intelligence Agency (NGA). NGA provides satellite and drone surveillance imagery for the Department of Defense and the US intelligence community.The unsecured data was discovered by Chris Vickery, who now works as a cyber risk analyst for the security firm UpGuard.According to UpGuard, the \u201cinformation that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level.\u201dUnprotected by even a password, the plaintext information in the publicly exposed Amazon S3 bucket contained what appear to be the Secure Shell (SSH) keys of a BAH engineer, as well as credentials granting administrative access to at least one data center\u2019s operating system.Both Booz-Allen and NGA claim the storage was not connected to classified networks.NGA told Gizmodo it is still evaluating the incident to decide upon the right course of action, but added, \u201cIt\u2019s important to note that a misconfiguration, properly reported and addressed, does not disqualify industry partners from doing business with NGA.\u201d That doesn\u2019t mean the agency will let it slide either as it \u201creserves the right to \u2018address any violations or patterns of non-compliance appropriately\u2019.\u201dBooz Allen, which is no stranger to security blunders (including pilfered documents by Snowden and Hal Martin as well as being pwned by Anonymous Antisec hackers), failed to respond when Vickery emailed the firm\u2019s CISO about the potential data breach on May 24. However, when Vickery emailed the NGA on the morning of May 25, the NGA cut off access to the exposed data within nine minutes. Booz Allen finally got around to acknowledging the breach notification that evening, almost seven hours after the NGA had secured the repository.\u201cNGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials,\u201d an agency spokesperson said.Booz Allen, which is also investigating the security snafu and \u201ctakes any allegation of a data breach very seriously,\u201d told Gizmodo, \u201cWe secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.\u201dYet Gizmodo noted that the Booz Allen server also \u201ccontained master credentials to a datacenter operating system\u2014and others used to access the GEOAxIS authentication portal, a protected Pentagon system that usually requires an ID card and special computer to use. Yet another file contained the login credentials of a separate Amazon bucket, the contents of which remain a mystery; there\u2019s no way to verify the contents legally since the bucket is secured by a password, and thus not open to the public.\u201dThe AWS bucket was reportedly also tied to Metronome, which is another known NGA contractor. UpGuard found Google search results for the defense contractor advertising Viagra and Cialis, which may indicate a semi-recent malicious attack on its site. \u201cUnless a defense contractor tasked with assisting in geospatial intelligence operations chose to voluntarily poison their own website with ads for erectile dysfunction pills, this is a troubling omen,\u201d UpGuard said.As UpGuard pointed out:Vendor risk is as real as any internal risk, if the vendor is relied upon in any serious way. While it is not every day that such a risk might affect questions about international stability in East Asia, or warfare in the Middle East, the lessons of such failings of cyber resilience are relevant to any IT operation.