Anyone who knew where to look could have downloaded sensitive data from an intelligence contractor about a project with a U.S. intelligence agency without a password, according to a new report.

Chris Vickery of the cybersecurity firm UpGuard discovered tens of thousands of documents from a subcontracted engineering project for the National Geospatial-Intelligence Agency (NGA) left unsecured on an Amazon cloud storage server. Data in the exposed files suggests the files were uploaded by a high-ranking engineer at Booz Allen Hamilton involved with the project.

ADVERTISEMENT

There were no top secret files in the archive Vickery discovered, which has since been secured, and the Amazon server was not directly connected to secure networks. However, the files included credentials to log into code repositories that likely contain classified files and could contain other credentials.

"Theoretically, this could have been catastrophic," said Vickery.

This kind of mistake — misconfiguring files and databases in a way that accidentally leaves them accessible to the public — is common. Vickery has built a reputation for finding these errors that left everything from counterterrorism research to Mexican voting rolls exposed to the internet.

The files would likely be hidden from anyone who did not already know where to look for them. But someone with the web address of the files, or someone like Vickery, who uses specialized searches to investigate thousands of unsecured files to find the occasional interesting discovery, would be able to find them.

The NGA is investigating the security misstep.

"We immediately revoked the affected credentials when we first learned of the potential vulnerability," it said in a statement.

"NGA assesses its cybersecurity protections and procedures constantly with all of its industry partners. For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action."