The resumes, addresses, and other information for many people who hold ‘Top Secret’ security clearance were left in an unsecured database after they had applied for vacancies at a security firm.
It has been confirmed by the international security firm TigerSwan that the personal details of thousands of former and current US, NATO coalition, and other service personnel were inadvertently exposed and left openly accessible for a long period of time.
The discovery was made by Director of CyberRisk Research Chris Vickery at the security firm UpGuard. Chris found that the resumes, home addresses, contact details, employment history, and in some cases, more sensitive information such as passport numbers, driver’s license numbers, partial Social Security numbers, and other crucial personal information of staff with ‘Top Secret’ clearance were publicly accessible online due to an erroneously configured Amazon Web Services S3 storage bucket.
The former and current places of work and job roles of some of the people left exposed included the Secret Service, various ‘Special Forces’, Guantanamo Bay Naval Base, several police departments, foreign translators from Iraq and Afghanistan, military intelligence roles, and various private security companies such as DynCorp, Blackwater, Aegis, Kellogg Brown Root, Lockheed Martin, and Titan.
TigerSwan appears to have received these details as part of the application processes for vacancies at the company.
This poses a real threat to many of the people affected as some of them are active military personnel, who may still be deployed in conflict zones or may have done so in the past, such as in Iraq and Afghanistan, and now may have their personal details exposed and families left vulnerable. Of particular concern are the details of the Iraqi and Afghan translators, whose families may still be living in areas that are very close to enemy combatants who could possibly locate them for revenge attacks.
TigerSwan has released a statement explaining that they had delegated the management of its resume databases to TalentPen, a third party vendor. TigerSwan had subsequently terminated its working relationship with TalentPen in February of 2017 and had securely transferred the posession of all the documents that TalentPen held; however, TalentPen was apparently responsible for leaving the details in question accessible on the Amazon storage bucket. The details have now been removed.
There were 9,402 documents left exposed, but TigerSwan has not declared how many people this could have affected. The firm has stated that anyone who submitted their resume with it between 2008 till 2017 can contact it for further information about how much of their personal information was accessible online.
There are an increasing amount of stories about companies extracting data without permission and about online identity theft in general. In this case, the information was filed voluntarily by prospective employees looking for a job with the firm, but this kind of story emphasizes that cyber security and defense is arguably just as important to security services as their conventional defense measures are.
Sources: UpGuard and IB Times | Image via CBS News