AWS S3 Bucket Misconfiguration Exposes Military Personnel Records of NATO Ally

A critical AWS S3 bucket misconfiguration by a defense contractor has exposed detailed personnel records of over 120,000 military service members from a NATO member state, including security clearance levels, deployment histories, psychological evaluation summaries, and home addresses.

The exposure was discovered by security researcher Chris Vickery of UpGuard, who found the publicly accessible S3 bucket during a routine scan. The bucket had been publicly readable since October 2025, potentially allowing anyone with the URL to download the complete dataset.

The exposed data is particularly sensitive because it includes information that could be used to identify intelligence personnel, special operations forces members, and individuals with access to classified information — making them potential targets for foreign intelligence recruitment or coercion.

The NATO ally's Ministry of Defense has launched an investigation into the contractor and suspended their access to military systems. The contractor, a mid-sized IT services firm, has acknowledged the misconfiguration and stated that it was caused by a junior administrator who changed bucket permissions during a migration process.

This incident highlights the ongoing risk of cloud misconfigurations and the need for automated security guardrails. AWS has expanded its default security settings for new S3 buckets, but existing buckets configured before these changes remain at risk if not manually reviewed.