VIENNA, Va.—Cybersecurity researcher Jeremiah Fowler has discovered that $181-billion Navy Federal Credit Union, the world’s largest CU, allegedly left a large cache of internal backup files exposed on Amazon’s cloud storage service.
In May, Fowler found an unencrypted and publicly accessible Amazon S3 bucket containing 378 gigabytes of backup data spread across 14 files in .gz, .sql, and .twbx formats. The files, which Fowler said belonged to Navy Federal, included usernames, email addresses, hashed passwords, encryption keys, and what appeared to be proprietary system information such as business logic, optimization processes, and financial performance metrics, Bank Info Security reported.
Fowler noted he did not see any member data in plain text. Still, he warned that the exposed records could provide attackers with a roadmap for phishing or social engineering campaigns, or valuable insights into Navy Federal’s internal network and operations.
"Anytime a financial institution potentially exposes how their systems work, the individuals who access it and the type of data they are collecting, it poses serious risks,” Fowler told Information Security Media Group.
Fowler reported the exposure and access to the cloud files within hours became restricted. The credit union did not respond to Fowler. In an emailed statement to ISMG, a spokesperson said that "at this time, we are unable to share any information regarding this matter," Bank Info Security reported.
The most recent SQL dump in the exposed bucket was dated May 29, but Fowler said it was unclear how long the files may have been publicly accessible. He noted that earlier this year, security experts reported ransomware groups exploiting Amazon Web Services S3 bucket features such as versioning and encryption, highlighting the risks of misconfigured cloud storage.
According to Bank Info Security, Fowler said it was not clear whether the system was directly managed by Navy Federal or by a third-party contractor. However, the bucket contained identifiers including “NavyXXX_Backup” and email addresses linked to the credit union. “I was able to match unique or uncommon names inside the records to individuals working at Navy Federal via LinkedIn,” he said.
The exposed files also included what appeared to be hashed or encrypted credentials and data strings labeled as “keys.” Fowler emphasized he did not attempt to decrypt or use them, but cautioned that “it is hypothetically possible that these could be exploited to gain unauthorized access,” Bank Info Security said.