Third-party vendor linked to Department of Defense S3 blunder

Ever since it opened as the headquarters for the US War Department (now the US Department of Defense) more than 70 years ago, the Pentagon has acted as a symbol of the country’s military and intelligence capabilities.

It therefore came as a surprise when it was announced last week that a massive trove of data collected in apparent government intelligence-gathering operations was left on three publicly downloadable cloud-based storage servers.

A new report from the UpGuard Cyber Risk Team details the discovery of the Amazon S3 repositories, which purportedly contain billions of public internet posts and news commentary scraped from the writings of many individuals and gathered by CENTCOM and PACOM – two Pentagon unified combatant commands charged with US military operations across the Middle East, Asia, and the South Pacific.

“The data exposed in one of the three buckets is estimated to contain at least 1.8 billion posts of scraped internet content over the past eight years, including content captured from news sites, comment sections, web forums, and social media sites like Facebook, featuring multiple languages and originating from countries around the world,” said UpGuard cyber resilience analyst, Dan O’Sullivan.

According to the researchers, there was evidence that the software employed to create these data stores was built and operated by an apparently defunct private sector government contractor named VendorX.

While UpGuard said the apparently benign nature of the vast number of captured global posts raises “serious questions about the extent and legality of known Pentagon surveillance against US citizens”, the researchers said the data leak also acted as an illustration of just how damaging third-party vendor risk can be.

“The possible misuse or exploitation of this data, perhaps against internet users in foreign countries wracked by civil violence, is a troubling possibility, as is the presence of US citizens’ internet content in buckets associated with US military intelligence operations,” said O’Sulllivan.

“Despite all of this, the same issues of cyber risk driving insecurity across the landscape are present here, too. A simple permission settings change would have meant the difference between these data repositories being revealed to the wider internet, or remaining secured.”