[BreachExchange] Senator Probes Top US Defense Contractor Over Leaked Data Tied to Pentagon Project

Thu Jun 22 14:11:22 EDT 2017

http://gizmodo.com/senator-probes-top-us-defense-contractor-over-leaked-da-1796277071

One of America’s top defense contractors is facing questions over its
security practices after sensitive files tied to a Pentagon project were
discovered on a publicly accessible Amazon server.

In a letter on Tuesday, US Senator Claire McCaskill aired her concerns
about security protocols at Booz Allen Hamilton, one the world’s top
consulting firms, which generates annual revenues of more than $5 billion
from an array of lucrative defense, intelligence, and homeland security
contracts.

In part, the Missouri senator’s concern stems from two high-profile
security breaches at Booz Allen in recent years, including former National
Security Agency contractor Edward Snowden, an employee of the company when
he absconded to Hong Kong with a cache of top-secret documents in 2013.

Last month, Gizmodo reported exclusively on a 28GB trove of Booz Allen
files uncovered by the cyber-resilience firm UpGuard, exposed on a cloud
server without a password. The files, which were sensitive but
unclassified, included work for the US National Geospatial-Intelligence
Agency; the digital security credentials of a Booz Allen senior engineer;
and other credentials stored in plain text, potentially granting access to
other servers.
That incident, McCaskill said, raised “serious questions about the security
protocols that [Booz Allen] has in place to prevent these types of
occurrences.” She continued: “It’s of vital importance that no one can gain
unauthorized access to national security information—but Booz Allen
Hamilton put passwords and other sensitive information out there for the
world to see.”

McCaskill, the top-ranking Democrat on the Senate Homeland Security and
Governmental Affairs Committee, said her inquiry was critical to
understanding what Booz Allen was doing to “end this pattern.”

Her three questions are as follows:

1) What steps has [Booz Allen] taken to determine how this information
became available on a publicly accessible server?

2) Has [Booz Allen] determined whether any policies or security protocols
were breaches and what actions have been taken against any personnel
responsible for the breach?

3) What steps is [Booz Allen] taking in order to prevent similar
occurrences in the future?

Booz Allen told Gizmodo on Tuesday that it welcomed Sen. McCaskill’s
inquiry.

The company has confirmed, it said, that no classified data was affected by
the recent incident. “No classified data was available on the affected
unclassified cloud environments, and no usernames and passwords in that
environment could have been used to access classified information.
(Gizmodo’s story did not claim that classified material was exposed, only
sensitive-but-unclassified US government information, which also requires
strict controls with regard to distribution.)

“As soon as we learned of this matter, we took action to secure the
impacted area, alerted our client and began an investigation,” the company
concluded.

Booz Allen’s statement conveys a willingness to cooperate with McCaskill,
though minus a subpoena it’s under no legal obligation to actually do so.
But McCaskill, who co-authored legislation
<https://www.mccaskill.senate.gov/media-center/news-releases/security-clearance-background-checkssenate-passes-mccaskill-backed-bill-to-strengthen-national-security-process>
last
year to reform the security clearance background check process, has some
tools at her disposal to compel a response—among them, the free press.

“It is always our assumption that companies will be responsive to our
oversight requests,” added Drew Pusateri, a McCaskill senior advisor.

Security mishaps are not the only controversy plaguing Booz Allen at
present. In a statement
<https://www.boozallen.com/e/media/press-release/booz-allen-hamilton-media-statement-on-form-8-k.html>
on
its website last week, the company revealed that the Justice Department is
conducting a “civil and criminal investigation” into potential billing
irregularities.

Likewise, the company said it was fully cooperating and expected to bring
the matter to “an appropriate resolution.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170622/8af2a9f0/attachment.html>