Classified Pentagon data was mistakenly left exposed on an unsecured public cloud server, cyber-security researchers have discovered.
The 100GB of data is from a failed joint intelligence-sharing programme run by the US Army and National Security Agency in 2013.
The information was left on an unlisted but public Amazon Web Services storage server.
It is likely to have been accessible to anyone on the internet for years.
The exposed data was discovered by cyber-security company UpGuard on 27 September.
A virtual-disk snapshot of a computer hard drive was found in an Amazon Web Services S3 cloud-storage account configured for public access.
The hard drive had been part of a failed cloud-based intelligence-sharing platform developed by Inscom, the US Army’s Intelligence and Security Command, in May 2013.
Sensitive details leaked
The files include sensitive details about the US Department of Defense’s battlefield-intelligence system, its cloud-based intelligence-gathering platform, Red Disk, and a virtual drive for receiving and transmitting classified data.
The files also contain private keys and hashed passwords, which could be used to access other internal systems at the Pentagon, if the passwords are still valid and the hash is cracked.
“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” UpGuard’s cyber-resilience analyst, Dan O’Sullivan, wrote in a blog post.
“Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible.”
The information has now been secured.
The NSA referred all media requests to Inscom, which has been contacted by the BBC for comment.