In the latest exposure of sensitive personal data online, a computer security firm has disclosed that the CVs of thousands of former US military personnel, including hundreds with ‘Top Secret’ security clearances, were left available on an Amazon S3 cloud storage repository.
The incident, which involves applicants to a North Carolina-based private security contractor, is the latest to involve misconfigured cloud-based storage repositories.
Ironically, the data was exposed during what was supposed to be the secure transfer of the CVs from a third-party recruiting firm to TigerSwan, the security contractor in question, according to TigerSwan’s account.
The information exposed included information typically found on CVs, including detailed contact information, as well as description of elite or sensitive military and intelligence roles. At least four Iraqi and four Afghan nationals who had provided services to US or Coalition forces were included in the 9,402 documents.
TigerSwan said it initially contracted with recruiting firm TalentPen in 2008 to help with the fulfilment of a services contract, then terminated the arrangement in February of this year.
As part of the termination the firm arranged for TalentPen to transfer the remaining CVs in its possession to a secure server operated by TigerSwan. TalentPen apparently used the Amazon S3 bucket to carry out the transfer, but neglected to delete the CVs once they’d been transferred, TigerSwan said.
They remained on the S3 bucket, accessible without a password to anyone who entered the repository’s online address, until they were discovered by computer security firm UpGuard on 20 July.
Upguard contacted TigerSwan, but TigerSwan said it didn’t think the report was credible, since the Amazon S3 address provided was one TigerSwan knew nothing about.
As a result the company said it took no action, and the CVs remained online until August, when UpGuard contacted Amazon S3 directly. Amazon in turn notified TalentPen, which then removed the CVs.
The data remained exposed until 24 August, more than a month following its discovery by UpGuard. TigerSwan said it only became aware the leak was genuine when it was contacted by reporters on 31 August.
UpGuard said the incident indicates how the use of third parties can compliate online security practices.
In a similar incident, researchers said last week that data on millions of Time Warner Cable (TWC) customers were exposed in an S3 bucket by a third-party contractor hired by TWC to develop a smartphone application.
Inadvertent data leaks have become more frequent as it becomes more routine for companies to make use of cloud-based services.
In July it was disclosed that Verizon had exposed data on about 6 million customers by misconfiguring an Amazon S3 bucket, and similar incidents have affected voter information held by the Republican National Committee (RNC) and customer data exposed by wrestling entertainment company WWE.
The RNC breach, disclosed in June, affected more than 198 million people, or about 61 percent of the US population, and was the country’s largest-ever voter data exposure.
Last month Amazon announced a machine learning-based tool aimed at spotting such security lapses. ‘Macie’, a fully managed service, scans users’ data repositories for sensitive data including personal information or intellectual property and uses machine learning to establish a baseline for how it’s typically accessed. The system then generates alerts when it detects unauthorised access or inadvertent data leaks.
How well do you know the cloud? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…