Vault 7, the largest data leak in the CIA’s history occurred because of weak security, a new internal report said on Tuesday. The specialized unit was so focused on building cyber weapons that the attacker, a CIA employee, took advantage of the “woefully lax” security and leaked top-secret hacking tools.
The breach that occurred in 2016 only came to light a year later when Wikileaks began publishing details of the leaked top-secret hacking tools. Researchers confirmed that it was part of confidential documents stolen from one of the agency’s isolated, top security networks. The leak included 34 terabytes of information and represented the biggest data theft in the CIA’s history.
The Wikileaks Task Force was then assigned to investigate the breach that led to massive data loss. 7 months later they issued a report that assessed the extent of the damage. They discovered that the department that was compromised prioritized empowering their cyber capabilities over keeping them secure if they were to fall in the wrong hands.
The report said that day to day security had become weak. For instance, a specialized network responsible for sharing reserved cyber tools failed to follow basic practices.
The report said:
Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security