It doesn\u2019t always require a whistleblower to leak classified NSA data, considering top secret files were stored on an Amazon Web Services (AWS) S3 bucket that was configured for public access. The server contained sensitive data belonging to the U.S. Army Intelligence and Security Command (INSCOM), which is a joint Army and NSA division.The publicly accessible repository with classified data was discovered in September by Chris Vickery of UpGuard. It hasn\u2019t even been two weeks since news broke of UpGuard finding unsecured Amazon S3 buckets for CENTCOM and PACOM, which contained dozens of terabytes of data about a military-sponsored web monitoring program.\u00a0A third party working for the Pentagon was responsible for failing to secure the servers, which contained at least 1.8\u00a0 billion scraped social media posts.Classified information sitting unprotected onlineThis time around, Vickery discovered the misconfigured S3 bucket that would allow anyone entering the URL to view the repository located at the AWS subdomain \u201cinscom;\u201d it contained 47 viewable files and folders, three of which were freely downloadable.According to UpGuard, \u201cThe three downloadable files contained in the bucket confirm the highly sensitive nature of the contents, exposing national security data, some of it explicitly classified.\u201dOne of the files, an Oracle Virtual Appliance (.ova) file, contained a virtual hard drive image and a Linux-based operating system \u201clikely used for receiving Defense Department data from a remote location.\u201d The virtual hard drive reportedly contained \u201cover 100 gigabytes of data from an Army intelligence project, codenamed \u2018Red Disk.\u2019\u201dBack in 2013, Red Disk was meant to be a \u201cbattlefield intelligence platform\u201d that would aggregate data from the Army\u2019s Distributed Common Ground System (DCGS-A), index data, videos and satellite imagery, making them searchable in real time. But it would crash, was slow and proved unreliable during the testing phase, which involved soldiers deployed in Afghanistan. After dumping at least $93 million into Red Disk, the Pentagon scrapped it in 2014.While UpGuard noted that the virtual hard drive with six partitions and OS could be browsed, most of the data could not be accessed without connecting to Pentagon systems. Nevertheless, properties of the files on the virtual hard drive revealed technical configurations marked as \u201cTop Secret;\u201d other files were classified as \u201cNOFORN\u201d which stands for no foreign nationals, meaning it wasn\u2019t meant to be shared even with foreign allies.Defense contractor Invertix used the S3 boxMetadata revealed that the box was used by the now-defunct third-party defense contractor Invertix. Private keys belonging to Invertix admins and used to access distributed intelligence systems, as well as hashed passwords, were also exposed.The other downloadable files from the virtual disk were a ReadMe, which contained instructions about the contents of the .ova and information about where to get additional Red Disk packages, and a \u201ctraining snapshot.\u201dThe data contained in the bucket was not protected with a password \u2014 even though classified sections indicated \u201cTop Secret\u201d and \u201cNOFORN\u201d material. The subdomain name of INSCOM for the bucket would make the value of the information clear to malicious actors or foreign intelligence services.In the words of Dan O\u2019Sullivan, another member of UpGuard\u2019s Cyber Risk Team, \u201cPlainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser.\u201dHe called the risk from third-party vendors the \u201csilent killer\u201d for \u201ccyber resilience.\u201d In this case, the transfer of data to the contractor Invertix, which has now merged into a new corporation called Altamira Technologies, opened the Defense Department to the consequences of a breach even though the DoD did not have full oversight of how the data was handled.