Technology Firm "Booz Allen Hamilton" Expose Unprotected Government Passwords Online
Updated: Mar 15, 2020
An unaffiliated cyber analyst stumbled upon temporarily left government passwords that were exposed online. Chris Vickery was led to access this valuable information from attempting to guess Internet addresses that might be used in certain Web servers, which was later published on his company Upguard’s blog post as a critique of the corporation’s safeguarding.
Questions on the cyber safety of such an established firm as Booz Allen Hamilton was raised, as the information exposed was highly confidential and contained sensitive data. Hence huge damage could follow from reluctance to use secure and suitable passwords if such ignorance persists whilst handling confidential information. Whilst there have been no alleged reasons to believe that the unidentified employee purposefully released the password, the blatant unawareness is very appalling to the establishment.
Immediate action has followed the report of an insecure password; the executive officers of the firm have confirmed that the affected passwords have been invalidated immediately. Whilst the exposed password has been announced to provide no access to any classified information, simply the fact that there has been a breach in technical security is rather worrisome. Booz Allen Hamilton claims that it was a one-off occurrence caused by a rather unfortunate mistake by an individual, in their defense. However, speculators continue to criticize the firm as “It’s just straight-up sloppiness, laziness, and really not adhering to policies,” said Bob Wandell, vice president of services at Nehemiah Security, a Tyson’s-based cybersecurity company. It must be acknowledged that safety online cannot have any such occurrences; the consequences of a single mistake could be dire to the company and be used against them in many ways
Hackers derive large amounts of data from such loose chains in the systems. For someone to have access to passwords from a simple web search clearly portrays how easily hackers can view the data, highlighting a major flaw in the system. The cybersecurity experts decried that the leak enables any hacker to have an entry source into official documentation and direct access into classified databases.
Another finding, in this case, includes assertions that the passwords were stored in the AMAZON CLOUD SERVER. There is an instant breach of security by subscribing to the use of file-sharing services, as the organisations share access throughout the common web providing entry to all.
“Hackers are constantly scanning the whole cloud environment … they do this repeatedly just to wait for someone to make a mistake like this,” said Tim Prendergast, a cloud security expert with cybersecurity firm Evident.io. “I think we’re going to see more of these over time as cloud computing continues to accelerate its growth.”
The employee at question probably chose the convenience of using the amazon cloud server, but the cost of doing so was much greater. Whilst the case being explained is narrowed down towards Booz Allen Hamilton, there are many multinational corporations responsible for having similar issues. This further elevates the importance of maintaining a completely safe and secure environment when dealing with such sensitive information. Any small deviations in the system, as can be seen, allows sources for huge losses. Cybersecurity, therefore, should be heavily enforced and encouraged by firms. This may not be the first time or the last time that loopholes are found in the computer databases, however, it would be beneficial to all by being more proactive. Incorporating small changes to become safer online would lead to a more sustainable, developed business. Measures that firms could potentially undertake to reduce risk includes:
Changing passwords to be more secure and updated (perhaps using a Password Manager to increase security)
Deleting any unused accounts to prevent any data from escaping the company, enabling Two-Factor Authentication for extra safety
Keeping software up to date and training to identify phishing and spear-phishing attacks.