Cyber Contractor “VendorX” Leaves Huge Pentagon Surveillance Program Unsecured, On Cloud

(TFC) A cybersecurity firm recently discovered a big, big Pentagon mistake. That being, a trove of social media posts recorded as part of a data-gathering program and left unsecured on cloud servers. It’s a snafu raising questions about the effectiveness of surveillance contractors at securing sensitive information.

The recent find was discussed in a blog post by the cybersecurity firm UpGuard, specifically their cyber risks team. According to Arc Technica, many of the stored posts were trivial, from social media activity of US citizens and others worldwide. UpGuard’s blog describes the stores as a “massive amount of data collected in apparent Department of Defense intelligence-gathering operations.”


“The repositories appear to contain billions of public internet posts and news commentary scraped from the writings of many individuals from a broad array of countries, including the United States, by CENTCOM and PACOM, two Pentagon unified combatant commands charged with US military operations across the Middle East, Asia, and the South Pacific.”– UpGuard post on data exposure.


According to the contractor, the trio of cloud-based servers contained billions of scraped, downloadable posts. This included “content from news sites, comments sections, web forums, and social media sites like Facebook.” Some posts were in different languages, with limited potential national security interest. Top target posts to the Pentagon, UpGuard continues, mostly involved Iraqi and Pakistani politics.

Despite this being evidence of Pentagon surveillance, the actual data gathering was done by the contractor “VendorX”. Currently, very little is known about the mysterious project, or VendorX which, Security Info Magazine reports, also worked on something called Project: Outpost.

Under CENTCOM operational authority, UpGuard’s blog explains, Outpost was essentially a social engineering program. Screenshots from the cloud servers mentioning the project describe Outpost as “a multi-lingual social analytics platform designed to influence positive change in high-risk youth in unstable regions around the world.” Very little is publicly available about VendorX, or the project it apparently built and operated for American military intelligence.

The unsecured cloud servers showed VendorX organized billions of social media posts into a searchable database. Several folders had “CENTCOM” in the title, including backups and compressed versions of every file. According to UpGuard, the social media posts appear to date back to 2009, collected up to 2015.

Other files mention CENTCOM surveillance software’s like “Coral Reef”, which apparently allows agencies to better understand relationships between targets. There are other references to an application called Thor, an efficient and complex file transfer and backup system.

Although UpGuard was able to determine that directly from the cloud server data, one big question remains. How exactly did CENTCOM collect the billions of posts? What was the program’s full purpose? Due to the scale of the data, one could imagine some kind of algorithmic process similar to what social media companies use to track you. Maybe it’s a program we’re already vaguely aware of, or perhaps something completely new.

The presence of VendorX in the equation also carries its own unique implications. Not only was the apparent program contracted out, but the server trio went unsecured. This wouldn’t mark the first time a government contractor was caught with their pants down. Not only did the lack of protocols expose the mass collection, but it possibly put sensitive user information gathered through the program at risk to hackers.

But, with all their blunders, third-party contractors allow the government distance from its own programs. It’s a theme popping up more and more, and is directly impacting the American people. Take the Dakota Access Pipeline protests, for example, and the surveillance firm hired to monitor water protectors and journalists. Contracting out the surveillance allowed the massive deployment of law enforcement to not get their hands dirty. Contractors aren’t subject to freedom of information act requests, among other legal protections government agencies don’t enjoy.

Obviously, this advantage comes with its costs. Issues related to defense, surveillance and cyber contractors may become more pressing under the current presidency. How much of the surveillance apparatus has been outsourced? And at what point does the chipping off of endeavors such as the program discovered by UpGuard become counterproductive?