Well, the verdict is in. The drone documents found on the dark web were drone maintenance documents. These documents were found behind a Netgear router whose FTP (file transfer protocol) password had not been changed.
This is a simple mistake. You might even say that this was a “rookie” mistake. Nevertheless, I am stunned that this kind of mistake would be made on a program that had already been granted its authority to operate (ATO). But the fact that this has happened proves that continuous vulnerability testing and compliance monitoring are keys to ensuring the ongoing (and safe) operations of a program.
And if this is true for the U.S. Department of Defense, then it is also true for each of us. So here is my simple question: have you changed default passwords on every system that you access?