Classified and personal details of hundreds of applicants for jobs at a private security firm in the US were exposed earlier this year after a recruiting agency uploaded the details to an unsecured Amazon S3 cloud server.
The unsecured database on Amazon S3 server contained classified details like passport numbers, driver's licenses, social security numbers and phone numbers.
TigerSwan, a private security agency headquartered in North Carolina, not only provides security services to private corporations but also assists the US military in overseas operations in Iraq and Afghanistan. The firm also has offices in Japan, the Middle East, Latin America and in North and West Africa.
READ MORE: Sensitive US intelligence data stored in unprotected cloud by defence contractor
On 20th July, security research firm UpGuard discovered that an Amazon Web Services sub-domain titled “tigerswanresumes” was configured for public access. Upon further investigation, UpGuard found a folder titled "Resumes" in the S3 bucket’s URL that contained 9,402 resumes and application forms submitted for positions with TigerSwan.
"A cursory examination of some of the exposed resumes indicates not merely the varied and elite caliber of many of the applicants as experienced intelligence and military figures, but sensitive, identifying personal details. Applicant names, home addresses, phone numbers, email addresses, and driver’s license numbers are exposed throughout," th firm said.
The resumes and job applications were received by TigerSwan as far back as in 2008. The firm later hired many of these professionals who are now engaged in providing security cover for corporations in volatile regions across the world and also assisting the US military in overseas operations.
Documents in the unsecured Amazon S3 server also include classified details about several Iraqi and Afghan nationals who assisted Coalition forces in the two countries and also worked (secretly) with western military contractors, international organizations, and domestic political agencies. These individuals and their families face constant threats from extremist groups because of their affiliations.
UpGuard also noticed classified and sensitive details of hundreds of law enforcement officers as well as military veterans in the documents. Some of them worked at Guantanamo Bay Naval Base, handled logistics of Abu Ghraib’s warehouse, participated in the 2001 invasion of Afghanistan, searched for WMDs in post-war Iraq and trained police recruits in Iraq, Afghanistan, Georgia, Liberia, Ukraine, and the Democratic Republic of Congo.
The exposure of such data in an unsecured cloud database not only places national security at risk, but also puts the very lives of such personnel, especially foreign nationals, in jeopardy. While this raises questions about how serious enterprises are about the security of sensitive data, what is more worrying is that despite the situation being known to several parties, it took more than a month to fix it.
Following their discovery, UpGuard informed TigerSwan about the unsecured database on Amazon's S3 server on 21st July and contacted the firm several times between then and 10th August as the database remained exposed. It was finally secured on 24th August, more than a month after the TigerSwan was first contacted by UpGuard.
On 2nd September, TigerSwan released a statement on its website accusing TalentPen, a third party recruiting agency formerly employed by the firm, for being responsible for the breach. The firm also stated that it took the data exposure seriously after being alerted by a 'press enquiry' on 31st August.
The firm added that while it was initially informed of the exposure by UpGuard by email on 21st July and then on 22nd July, it did not take the matter seriously as it did not own or directly control any cloud file repository. In fact, the firm treated UpGuard's email as a phishing scam because it 'lacked credibility'.
The unsecured S3 bucket’s URL was set up by TalentPen to transfer recruiting records back to TigerSwan after the latter fired the agency in February this year. The URL was initially secured with a 256-bit secret access key and a 20-character user id which were valid until 10th February. Even though TigerSwan downloaded the data on 8th February, TalentPen failed to delete the URL or its contents even after the security credentials expired.
On 24th August, UpGuard contacted Amazon Web Services who in turn notified TalentPen about the unsecured URL, resulting in its closure. TigerSwan claims that it had no role in the process as the URL was set up and managed by TalentPen and that the agency never notified the firm about its negligence.
"Assuming that TigerSwan’s statement that the S3 bucket was owned and operated by a former third-party vendor is true, such a prospect once again raises the danger of third-party vendors as an unsafe and overlooked link in an enterprise’s IT environment," noted UpGuard.
The firm believes that if an enterprise with highly resilient and secure IT toolchain outsources the handling of sensitive or valuable data to a third-party vendor lacking such well-designed processes and systems, then the hiring enterprise should pay the price for any resulting exposure.
"The month-long delay from when TigerSwan was notified about the exposure and the data ultimately being secured is especially unfortunate. A strong cyber resilience program should include the ability to respond quickly and with agility when exposure of sensitive information is discovered," it added.