‘Top Secret’ US Military CVs Left Exposed On Amazon S3 Bucket
In the latest inadvertent data leak, a contractor left thousands of CVs belonging to former US military personnel exposed online
In the latest exposure of sensitive personal data online, a computer security firm has disclosed that the CVs of thousands of former US military personnel, including hundreds with ‘Top Secret’ security clearances, were left available on an Amazon S3 cloud storage repository.
The incident, which involves applicants to a North Carolina-based private security contractor, is the latest to involve misconfigured cloud-based storage repositories.
‘Secure transfer’
Ironically, the data was exposed during what was supposed to be the secure transfer of the CVs from a third-party recruiting firm to TigerSwan, the security contractor in question, according to TigerSwan’s account.
The information exposed included information typically found on CVs, including detailed contact information, as well as description of elite or sensitive military and intelligence roles. At least four Iraqi and four Afghan nationals who had provided services to US or Coalition forces were included in the 9,402 documents.
“We take information security very seriously, especially in this instance, because a majority of the resume files were from veterans,” said TigerSwan chief executive Jim Reese in a statement. “To our colleagues and fellow veterans, we apologise.”
TigerSwan said it initially contracted with recruiting firm TalentPen in 2008 to help with the fulfilment of a services contract, then terminated the arrangement in February of this year.
As part of the termination the firm arranged for TalentPen to transfer the remaining CVs in its possession to a secure server operated by TigerSwan. TalentPen apparently used the Amazon S3 bucket to carry out the transfer, but neglected to delete the CVs once they’d been transferred, TigerSwan said.
They remained on the S3 bucket, accessible without a password to anyone who entered the repository’s online address, until they were discovered by computer security firm UpGuard on 20 July.
Botched notification
Upguard contacted TigerSwan, but TigerSwan said it didn’t think the report was credible, since the Amazon S3 address provided was one TigerSwan knew nothing about.
As a result the company said it took no action, and the CVs remained online until August, when UpGuard contacted Amazon S3 directly. Amazon in turn notified TalentPen, which then removed the CVs.
The data remained exposed until 24 August, more than a month following its discovery by UpGuard. TigerSwan said it only became aware the leak was genuine when it was contacted by reporters on 31 August.
UpGuard said the incident indicates how the use of third parties can compliate online security practices.
“The incident again underscores the importance of qualifying the security practices of vendors who are handling sensitive information,” the firm said in an advisory.
Inadvertent leaks
In a similar incident, researchers said last week that data on millions of Time Warner Cable (TWC) customers were exposed in an S3 bucket by a third-party contractor hired by TWC to develop a smartphone application.
Inadvertent data leaks have become more frequent as it becomes more routine for companies to make use of cloud-based services.
In July it was disclosed that Verizon had exposed data on about 6 million customers by misconfiguring an Amazon S3 bucket, and similar incidents have affected voter information held by the Republican National Committee (RNC) and customer data exposed by wrestling entertainment company WWE.
The RNC breach, disclosed in June, affected more than 198 million people, or about 61 percent of the US population, and was the country’s largest-ever voter data exposure.
Last month Amazon announced a machine learning-based tool aimed at spotting such security lapses. ‘Macie’, a fully managed service, scans users’ data repositories for sensitive data including personal information or intellectual property and uses machine learning to establish a baseline for how it’s typically accessed. The system then generates alerts when it detects unauthorised access or inadvertent data leaks.
How well do you know the cloud? Try our quiz!