A computer security company said classified information belonging to the United States Army Intelligence and Security Command (INSCOM) was leaked on the internet, exposing information on data and systems used for communications so anyone could see it.
According to the company, UpGuard, “INSCOM’s web presence provides troubling indications of gaps in their cybersecurity,” the company wrote in a release. INSCOM is a division of both the U.S. Army and the National Security Agency (NSA).
“Among the most compelling downloadable assets revealed from within the exposed bucket is a virtual hard drive used for communications within secure federal IT environments, which, when opened, reveals classified data labeled NOFORN – a restriction indicating a high level of sensitivity, prohibited from being disseminated even to foreign allies,” the company wrote in the release.
“The exposed data also reveals sensitive details concerning the Defense Department’s battlefield intelligence platform, the Distributed Common Ground System – Army (DCGS-A), as well as the platform’s troubled cloud auxiliary, codenamed ‘Red Disk,'” the release read.
“The hard drive contains six such partitions, varying in size from 1 GB to 69 GB, and contains indications in its metadata that the box was worked on in some capacity by a now-defunct third-party defense contractor named Invertix, a known INSCOM partner,” the release read. “Finally, also exposed within are private keys used for accessing distributed intelligence systems, belonging to Invertix administrators, as well as hashed passwords which, if still valid and cracked, could be used to further access internal systems.”
Chris Vickery, UpGuard Director of Cyber Risk Research, made the discovery on Sept. 27, which “contained 47 viewable files and folders in the main repository, three of which were also downloadable,” according to the release.
Vickery told the U.S. government about the leak and was told Oct. 10 that it had been secured, the Associated Press reported.