The NSA is one of the world's most notoriously secretive and powerful government agencies, guarding its powerful hacking tools and massive caches of collected data under layers of security clearances and world-class technical protections. But it turns out that three times in three years, that expensive security has been undone by one of its own contract employees simply carrying those secrets out the door.

In 2013, an NSA contractor named Edward Snowden walked out of the agency's building in Oahu, Hawaii, carrying a USB drive full of thousands of top-secret documents. Last year, a 53-year-old Booz Allen contractor for the NSA named Hal Martin was arrested last year for taking 50 terabytes out of the agency over a period as long two decades. And Thursday, the Wall Street Journal reported that in 2015, a third contract employee of the NSA in as many years took home a trove of classified materials that included both software code and other information that the agency uses in its offensive hacking operations, as well as details of how it protects US systems from hacker adversaries.

That classified data, which wasn't authorized to be removed from the perimeter of the facility where that contractor worked, was then stolen from the contractor's home computer by Russian spies, who exploited the unnamed employee's installation of antivirus software from Kaspersky, a Russian company. And while that revelation has raised yet another round of serious concerns and unanswered questions about Kremlin spying and the role of Kaspersky's widely used commercial software, it also points to a more fundamental security problem for the NSA: The own-goals it has committed, as a series of its paid employees spill some of its most sensitive secrets—including its intensely guarded and dangerous hacking techniques.

While Kaspersky is one major—though possibly unintentional—culprit in this latest theft of secrets, the root cause of the breach is the deep negligence of the NSA employee who violated his security clearance by taking incredibly sensitive materials home, says Dave Aitel, a former NSA staffer who now runs the security firm Immunity Inc.

"What are the hell are these people thinking?" asks Aitel. "Leaving the NSA with top-secret documents and putting them on your home machine is the very first thing they tell you not to do. Why it keeps happening is a mystery to me, and probably to the management at NSA."

Going Rogue

The revelation of the latest unidentified contractor, whose employer also hasn't been publicly named, comes a year after Martin was caught leaving sensitive data on hard drives in his home and car, a collection that included 75 percent percent of the hacking tools used by the NSA's elite hacking team, known as Tailored Access Operations, according to the Washington Post. Prosecutors in Martin's case have said the data also contained the highly secret identities of undercover agents.

It's not yet clear if either Martin or the most recent contractor to breach the agency's secrecy rules had any intention of selling or exploiting the documents they took. The latest incident in particular seems to be a case of carelessness, rather than profit or malice, according to the Wall Street Journal's reporting. Both of those leaks contrast with the whistleblowing-motivated data thefts of Edward Snowden---another Booz Allen contractor—who stole his thousands of top secret files with the intention of giving them to media.

'What are the hell are these people thinking?' Former NSA analyst Dave Aitel

But in the wake of the leaks carried out by Snowden, this third contractor breach points to a continuing problem with the NSA's operational security and contractor management, one serious enough that NSA director Admiral Michael Rogers was officially reprimanded by his superiors, and some high-ranking officials suggested to President Obama he be removed from his position, according to some reports last year. Rogers nonetheless maintained control of the NSA under the Trump administration. An NSA spokesperson declined to comment on "personnel issues or ongoing investigations," but did defend the agency's security posture.