The National Security Agency has been acting like the National Stupidity Agency for the past several years now. Regardless of how we feel about NSA’s obsession with surveillance, the agency has repeatedly proven its incompetence through leaks upon leaks coming out of its doors. While it may like to blame China, Russia, North Korea or some private security firm for stealing its secrets, the agency has routinely handed all that confidential data on a platter to those looking for it at the right places.

Following the damning Snowden leaks in 2013 (for which he is still suffering in exile while the agency reigns supreme in the United States), there have been multiple leaks thanks to contractors, NSA’s own employees or some security bad practices. In a latest of what seems like an endless stream of confidential and potentially devastating leaks, a private security researcher has revealed that the agency left a batch of NSA and Army files on a cloud storage server with no password. (Seriously, what’s with NSAand Apple?)

Chris Vickery of the security firm UpGuard shared that over 100 GBs of data from an Army intelligence program codenamed Red Disk was left unprotected. The disk image belongs to the US Army’s Intelligence and Security Command (INSCOM), which is a division of both the Army and the NSA. While the Amazon Web Services storage server was unlisted, it was public and without a password, leaving the data out in the open for anyone to download.

Vickery had apparently informed the government of this “breach” in October, after which the server was secured. It can’t be known who might have downloaded this data before it was secured.

Latest NSA leaks contained “top secret” data

Vickery said that the data contained nearly 50 files, some of which was tagged as Top Secret or NOFORN (no foreign nationals). UpGuard added that they also found:

- Virtual hard drive used for classified communications within secure federal IT environments
- Details concerning the Defense Department’s battlefield intelligence platform known as DCGS-A
- Information on Red Disk, “a troubled Defense Department cloud intelligence platform”
- Private keys belonging to Invertix, a defense contractor that works with INSCOM

The Pentagon reportedly spent over $93 million on Red Disk, however, it was never fully deployed. “Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data,” the security firm said in its report.

The company added that the leak could have easily been avoided by limiting the server access to only authorized individuals. “What are we doing wrong when ‘top secret’ data is literally two mouse clicks away from worldwide exposure?” Vickery said. “How did we get here, and how do we find a way out?”