Another day another trove of data goes public – This time, personal and sensitive data of American citizens who applied for jobs at North Carolina-based Private Military Contractor (mercenary and security firm) TigerSwan and hundreds of those claiming “Top Secret” US government security clearances.
According to Chris Vickery, director of cyber risk research at security firm UpGuard; Resumé files of 9,402 people were found available publically on an unprotected Amazon Web Services ran by a third-party vendor TalentPen who used the files for recruitment purposes until February 2017.
A look at the exposed files revealed applicant names, home addresses, phone numbers, email addresses, driver’s license numbers and highly sensitive job history of US military veterans, mercenaries and even Iraqi and Afghan nationals who worked alongside US forces and government institutions back in their countries.
Rich Campagna, CEO at Bitglass, told HackRead.com that: “In the last few months, we’ve seen a string of high profile data incidents of this nature, including Deep Root Analytics, Verizon Wireless, and Dow Jones. These exposures are difficult to stop because they originate from human error, not malice. Just one wrong tick box in the cloud set-up process can put vast amounts of sensitive customer data at risk. This is why Amazon recently introduced ‘Macie’: to discover, classify and protect sensitive data in AWS S3.
Organisations using IaaS must leverage at least some of the security technologies available to them, either from public cloud providers, IDaaS providers, or CASBs, which provide visibility and control over cloud services like AWS. It could also be argued that these AWS server misconfigurations could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks.”
TigerSwan was founded in 2008 by retired US Army lieutenant colonel and Delta Force operator James Reese. Since then the international security and global stability firm have provided its services during the infamous Iraq war, 2014 Sochi Olympics and Standing Rock Protests (Dakota Access Pipeline protests, DAPL).
However, in May 2017, The Intercept cited leaked documents indicating that the firm used counterterrorism tactics at standing rock to “defeat pipeline insurgencies.” In 2011, the firm also won a one year contract in Saudi Arabia where it provided construction and security services for the South Gate Entry Control Point, Eskan Village, Riyadh.
In their statement, the firm has acknowledged the issue and said that:
“At no time was there ever a data breach of any TigerSwan server. All resume files in TigerSwan’s possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resumé.”
It is unclear for how long the data remained unprotected or whether it was accessed by anyone else other than UpGuard researchers.
“A cursory examination of some of the exposed resumes indicates not merely the varied and elite caliber of many of the applicants as experienced intelligence and military figures, but sensitive, identifying personal details, said UpGuard.
At the time of publishing this article, there was no official response from TalentPen, LLC since the company has been dissolved. However, TigerSwan forwarded an email to Gizmodo showing conversation with a former TalentPen employee.
“I’m afraid that it does show activity that seems to be consistent with the number of files and overall size of the total number of files. I want to know exactly how there could even be a possibility of this happening given the security in place to protect data and files. The account was setup to only give access to you and I. I even had to provide you with security credentials to access the information. While I no longer work for TalentPen since it had been dissolved earlier this year, I certainly want to help you get to the bottom of this,” the email said.
Here is an archive look at the now offline TalentPen’s website.
This is not the first time when unprotected trove of data has been discovered online. In January 2017, medical data of Veterans affected by sleep disorders was exposed online. The database contained personal details of over 1,200 veterans who have been suffering from of sleep disorders.
In March this year, a misconfigured drive led to data leak of thousands of US Air Force officials including passports, names, social security numbers and other highly sensitive and personal data.
In June this year again, UpGuard discovered secret Pentagon files left unprotected on an Amazon server. The data included over 60,000 files with some of the very sensitive info publicly accessible and not even protected with a password.
If you are working as a database administrator, it’s time to run a security check and keep the data secure. If you are using a third party “cloud” provider, double check the security features and your contract with the provider.