A new report has revealed that the largest data loss in CIA history occurred as the result of “woefully lax” security practices.

Back in early 2017, WikiLeaks published details on top-secret CIA hacking tools that were actually part of a larger set of data (37TB) stolen from one of the US agency’s high-security networks. These hacking tools were developed by the CIA’s Center for Cyber Intelligence (CCI) and were published by WikiLeaks as part of its Vault 7 leak series.

A WikiLeaks Task Force was assembled to investigate the practices that led to the agency’s massive data loss and it issued a report seven months after the first Vault 7 leak that provided more details on the extent and cause of the leak. The report found that the CCI was more concerned with creating cyber weapons than it was with securing them.

In a letter to the Director of National Intelligence John Ratcliffe, US senator Ron Wyden provided further details on the CCI’s failure to secure the cyber weapons it had created, saying:

“The CIA’s [Center for Cyber Intelligence (CCI)] has prioritized building cyber weapons at the expense of securing their own systems. Day-to-day security practices had become woefully lax….Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely. Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”

Woefully lax security

According to the report, the CIA employee responsible for the Vault 7 leaks stole at least 180 GB of data in the spring of 2016. However, the task force said that the employee may have actually taken as much as 34 TB of the agency’s data. 

In 2018, federal authorities identified former CIA employee Joshua Adam Schulte as the suspect who had leaked the data. He was later indicted and plead not guilty to the charges. However, during Schulte’s criminal trial, the jury was unable to reach a verdict on the most serious charges.

The task force’s report also revealed that WikiLeaks did not obtain final versions of the CIA’s hacking tools and source code as they were stored in a Gold folder which was better protected.

While WikiLeaks’ Vault 7 data leak was embarrassing for the CIA, it likely taught the agency a lesson when it comes to securing sensitive data.

Via Ars Technica