VIENNA, Va.–A cybersecurity researcher is reporting he has discovered hundreds of gigabytes of internal backup files from Navy Federal Credit Union exposed on Amazon’s cloud storage service.
In a post on websiteplanet.com, the researcher, Jeremiah Fowler, said he discovered an unencrypted and publicly accessible Amazon S3 bucket containing 378 gigabytes of Navy FCU’s internal backup files in May that contained 14 files in .gz, .sql and .twbx formats.
To date there have been no public reports of member information being breached.
Numerous Data Fields
According to Fowler, the exposed backup included user names, email addresses, hashed passwords, keys and what appeared to be internal system data such as business logic, codes, optimization processes and financial performance metrics. Fowler said he did not see any member data in plain text.
“Anytime a financial institution potentially exposes how their systems work, the individuals who access it and the type of data they are collecting, it poses serious risks,” Fowler told Information Security Media Group.
According to Fowler, the most recent SQL dump in the exposed bucket was dated May 29. Fowler said he had no information available on how long the files may have been publicly accessible.
Files Found
Fowler’s blog post additional stated:
- Although it is unclear whether the exposed system was managed directly by Navy Federal or a contractor, the bucket contained identifiers such as “NavyXXX_Backup” and email addresses tied to the credit union. Fowler said he was able to match unique or uncommon names inside the records to individuals working at Navy Federal via LinkedIn.
- What appeared to be hashed or encrypted credentials and data strings marked as “keys” were among the exposed files. Fowler said he did not attempt to decrypt or use them.
- The exposed backup included system logs, operational metadata and internal details such as optimization processes, rate structures and product tiers, Tableau workbook documents that connected to MySQL tables, with server connection information and calculation formulas linked to financial performance and loan portfolio metrics. Fowler said some of the XML-based files were labeled as production, revealing database structures, field names and the environments in which they operated. Password history tables with hashed strings and timestamps, as well as entries marked as keys and foreign keys mapping the relationships between data, according to the report.
Fowler said that even without member information in plain text, such internal files could provide a blueprint for how Navy Federal’s systems function, giving attackers an advantage.
Navy FCU Declines to Comment
Fowler said in his posting that he reported the exposure and that access to the cloud files within hours became restricted. The report said Navy FCU did not provide a response to Fowler, but ISMG said it was told by a spokesperson that “at this time we are unable to share any information regarding this matter.”
Fowler stated in his blog post that he was not implying any wrongdoing by Navy Federal.
The $191.7 billion Navy FCU has approximately 14.7 million members, according to its midyear call report.
