Every day, military and civilian personnel stationed at the MacDill Air Force Base headquarters of U.S. Central Command use the Internet to reach out to foreign audiences in an effort to combat Islamic State propaganda.
To help measure the success of their efforts, CentCom personnel employ software that scrapes the Internet for social media postings.
Now, it turns out that these postings, as well as some passwords and other potentially sensitive information, were accessible to anyone with an Amazon Web Server account and some detailed knowledge about cybersecurity protocols.
In September, a California-based cybersecurity firm managed to access nearly 2 billion Internet posts by CentCom and U.S. Pacific Command that were collected through their WebOps program since 2009 and stored on the Amazon Web Server.
This access, first reported by CNN, was made possible by the way the command set up its cloud storage, according to UpGuard, the California firm. In addition to the social media postings, many from people in the United States, UpGuard discovered passwords and other potentially sensitive information stored on those files.
Storing data on the cloud should be done very carefully for security reasons, Chris Vickery, UpGuard's director of cyber risk research, told the Tampa Bay Times. Apparently, Vickery said, "CentCom did not do it extremely carefully."
Vickery said he notified the military about the security loophole as soon as it was discovered. He said he would "not be surprised" if someone besides him accessed the information, but Army Maj. Josh Jacques, a command spokesman, said it appears no one but UpGuard did.
In fact, Jacques said, the information accessed is "not sensitive" and isn't collected or processed for any intelligence purposes.
"All the information is already readily available and out there," he said. "None of the data is being used for intelligence or anything like that. We are not gathering intelligence or trying to monitor the communications of anyone. We use key words that pull in the data."
The command set up the cloud storage according to industry-standard protocols to ensure that authorized users would be able to access the information, he said.
Still, in the wake of the UpGuard discovery, additional security measures have been taken, Jacques said.
CentCom has experienced cybersecurity trouble before.
In January 2015, the command's Twitter and YouTube accounts were temporarily taken over by a group calling itself the CyberCaliphate, which claimed to be aligned with the Sunni insurgent group Islamic State.
While those hacks were fairly unsophisticated, and the hackers did not access any classified information or networks, UpGuard's recent report gives CentCom a poor overall rating for cybersecurity.
CentCom received a rating of 542 out of a possible 950, according to the company, which says the command failed four of nine security factors, including improper obscuring of server information and encryption of certain other information.
Pacific Command's score of 409 was even worse.
Jacques said that while CentCom "welcomes information from outside organizations" that helps improve operations, he could not comment on the specifics of UpGuard's ratings until the command conducted a detailed review.
Contact Howard Altman at [email protected] or (813) 225-3112. Follow @haltman.