US military contractor and international security firm TigerSwan has confirmed that thousands of files containing sensitive, personal information of US military and intelligence personnel were inadvertently exposed online on an unsecured Amazon server. Chris Vickery, a researcher at security firm Upguard, discovered the Amazon Web Services S3 storage bucket that was accidentally configured for public access in July, which means any person with the correct IRL could access the data.
The exposed repository contained 9,402 documents dating back to 2009 that listed the personal details of thousands of job applicants, hundreds of which claimed "Top Secret" US government security clearances.
The documents included a "high level of detail" about veterans' past duties as well as applicants' home addresses, phone numbers, email addresses and work history. Many resumes also listed information such as security clearances, driver's licence numbers, passport numbers and at least partial Social Security numbers.
Among the individuals exposed were a former United Nations worker in the Middle East, an active Secret Service agent, a parliamentary security officer in Eastern Europe, a Central African logistical expert and an ex-soldier that provided security to TV news crews in war zones, the security firm said in a blog post.
Other victims included a soldier who was tasked with the logistics of the Abu Ghraib warehouse, a commando who took part in the initial 2001 invasion of Afghanistan, service members at Guantanamo Bay Naval Base and an Army officer who was tasked with finding WMDs in post-invasion Iraq.
Other documents included the personal details of Iraqi and Afghan nationals who cooperated with US military forces and government agencies in their home countries.
"While most of the applicants are American military veterans, every continent appears to be represented in the pool, with some applicants coming from a civilian background," UpGuard said. "On the resumes of several foreign applicants, many also listed their passport numbers in the resumes - a detail of potential interest amidst the burgeoning black market in Eurasia for fraudulent passports."
Although the files were discovered on 20 July, they were not taken down until 24 August.
In a statement on Saturday (2 September), TigerSwan said the database of resumes was managed by a third-party vendor TalentPen. After the company terminated its contract with TalentPen in February 2017, the latter set up a secure website to transfer the resume files over to TigerSwan's secure server.
TigerSwan downloaded the files on 8 February and notified TalentPen that the procedure was completed. The files, however, were never taken down and were allowed to remain in the publicly accessible data bucket until August.
The company also admitted that Vickery notified them about a potential data breach on 21 July. However, after reviewing their existing systems and finding no evidence of a breach, they dismissed his email as a "potential phishing scam". A call from Vickery the next day was also "not considered credible".
UpGuard said TigerSwan told Vickery that they were working with Amazon to secure the data during a phone call on 22 July. They eventually contacted Amazon Web Services about the issue in August which had TalentPen remove the files.
"Since we did not control or have access to this site, we were not aware that these documents were still on the web, much less, were publicly facing," TigerSwan said in a statement. "TalentPen never volunteered this information about their actions to us and only admitted it when we reached out to them after talking to Upguard on August 31, over a week after they secretly removed the resume files."
TigerSwan said the resume files have now been secured with no additional risk of exposure, but did not specify how many people were impacted in the breach. It also noted that there was never a breach of any of its own servers.
"We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume," the company said.
It has encouraged any applicants who submitted their resume during its contract with TalentPen - between 2008 and February 2017 - to contact them to check if any personally identifiable information was left vulnerable in the exposure.
"We take information security very seriously, especially in this instance, because a majority of the resume files were from veterans," TigerSwan CEO Jim Reese said in a statement. "As a Service-Disabled, Veteran-Owned Small Business, we find the potential exposure of their resumes inexcusable. To our colleagues and fellow veterans, we apologise.
"The situation is rectified and we have initiated steps to inform the individuals affected by this breach."