One of America’s top defense contractors is facing questions over its security practices after sensitive files tied to a Pentagon project were discovered on a publicly accessible Amazon server.
In a letter on Tuesday, US Senator Claire McCaskill aired her concerns about security protocols at Booz Allen Hamilton, one the world’s top consulting firms, which generates annual revenues of more than $5 billion from an array of lucrative defense, intelligence, and homeland security contracts.
In part, the Missouri senator’s concern stems from two high-profile security breaches at Booz Allen in recent years, including former National Security Agency contractor Edward Snowden, an employee of the company when he absconded to Hong Kong with a cache of top-secret documents in 2013.
Last month, Gizmodo reported exclusively on a 28GB trove of Booz Allen files uncovered by the cyber-resilience firm UpGuard, exposed on a cloud server without a password. The files, which were sensitive but unclassified, included work for the US National Geospatial-Intelligence Agency; the digital security credentials of a Booz Allen senior engineer; and other credentials stored in plain text, potentially granting access to other servers.
That incident, McCaskill said, raised “serious questions about the security protocols that [Booz Allen] has in place to prevent these types of occurrences.” She continued: “It’s of vital importance that no one can gain unauthorized access to national security information—but Booz Allen Hamilton put passwords and other sensitive information out there for the world to see.”
McCaskill, the top-ranking Democrat on the Senate Homeland Security and Governmental Affairs Committee, said her inquiry was critical to understanding what Booz Allen was doing to “end this pattern.”
Her three questions are as follows:
1) What steps has [Booz Allen] taken to determine how this information became available on a publicly accessible server?
2) Has [Booz Allen] determined whether any policies or security protocols were breaches and what actions have been taken against any personnel responsible for the breach?
3) What steps is [Booz Allen] taking in order to prevent similar occurrences in the future?
Booz Allen told Gizmodo on Tuesday that it welcomed Sen. McCaskill’s inquiry.
The company has confirmed, it said, that no classified data was affected by the recent incident. “No classified data was available on the affected unclassified cloud environments, and no usernames and passwords in that environment could have been used to access classified information. (Gizmodo’s story did not claim that classified material was exposed, only sensitive-but-unclassified US government information, which also requires strict controls with regard to distribution.)
“As soon as we learned of this matter, we took action to secure the impacted area, alerted our client and began an investigation,” the company concluded.
Booz Allen’s statement conveys a willingness to cooperate with McCaskill, though minus a subpoena it’s under no legal obligation to actually do so. But McCaskill, who co-authored legislation last year to reform the security clearance background check process, has some tools at her disposal to compel a response—among them, the free press.
“It is always our assumption that companies will be responsive to our oversight requests,” added Drew Pusateri, a McCaskill senior advisor.
Security mishaps are not the only controversy plaguing Booz Allen at present. In a statement on its website last week, the company revealed that the Justice Department is conducting a “civil and criminal investigation” into potential billing irregularities.
Likewise, the company said it was fully cooperating and expected to bring the matter to “an appropriate resolution.”