Researchers from cybersecurity company UpGuard have discovered thousands of files containing personal data on former US military, intelligence, and government workers have allegedly been exposed online for months.
The data breach has been initially attributed to security firm TigerSwan, but the company confirmed that it outsourced the selection of applicants to the recruitment firm TalentPen vendor hired to process new job applicants. The data include addresses, phone numbers, and private email accounts.
According to Gizmodo.com, some 9,400 sensitive files were accessible to anyone on a misconfigured Amazon cloud server in a folder called “resumes.”
Some of the profiles exposed have classified or Top Secret security clearances, they applied for work at the notorious security firm TigerSwan.
The exposed documents included CVs of thousands of US citizens, many of them might have worked with the US military and US intelligence agencies (i.e. Central Intelligence Agency, the National Security Agency, US Secret Service).
“The UpGuard Cyber Risk Team can now disclose that a publicly accessible cloud-based data repository of resumes and applications for employment submitted for positions with TigerSwan, a North Carolina-based private security firm, were exposed to the public internet, revealing the sensitive personal details of thousands of job applicants, including hundreds claiming “Top Secret” US government security clearances.” states a blog post published by UpGuard. “TigerSwan has recently told UpGuard that the resumes were left unsecured by a recruiting vendor that TigerSwan terminated in February 2017. If that vendor was responsible for storing the resumes on an unsecured cloud repository, the incident again underscores the importance of qualifying the security practices of vendors who are handling sensitive information.”
The impact of the data leak could be severe, some applicants were involved in highly-classified US military operations.
According to the firm UpGuard, at least one of the applicants claimed he was charged with the transportation of nuclear activation codes and weapons components.
“One applicant referenced his employment as a “warden advisor” at the infamous Abu Ghraib black site near Baghdad, where prisoners are known to have been tortured. The applicant described his job as “establishing safe and secure correctional facilities for the humane care, custody, and treatment of persons incarcerated in the Iraqi corrections system.” reported Gizmodo.com
“Another applicant reportedly stated that he was involved in “enhancing evidence” against Iraqi insurgents during the war. Others, who provided their home addresses, as well as personal email accounts and phone numbers, were employed and may be currently employed by US spy agencies for work on Top Secret surveillance and intelligence-gathering operations.”for work on Top Secret surveillance and intelligence-gathering operations.”
The private security firm TigerSwan confirmed that its systems were not hacked.
“At no time was there ever a data breach of any TigerSwan server,”TigerSwan said.“All resume files in TigerSwan’s possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants.”
The exposed S3 bucket was discovered by the popular data breach hunter Chris Vickery, he confirmed that the data was discovered in July and unfortunately they were removed from the cloud server only at the end of August.
On August, Vickery discovered more than 1.8 million voter records belonging to Americans have been accidentally leaked online by a US voting machine supplier for dozens of US states.
In June, Vickery discovered that a top defense contractor left tens of thousands sensitive Pentagon documents on Amazon Server Without any protection in places.
Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In July he discovered data belonging to 14 million U.S.-based Verizon customers that have been exposed on an unprotected AWS Server by a partner of the telecommunications company. In December 2015 the security expert discovered 191 million records belonging to US voters online, on April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.
In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.
(Security Affairs – data leak, US military)