Thousands of files with sensitive information about U.S. military veterans, hundreds of which reportedly have "Top Secret" U.S. government security clearances, were left exposed to the public after a private security firm neglected to secure an Amazon Web Services (AWS) data storage service.
North Carolina-based TigerSwan, a private security company, outed the culprit to be the recruitment firm TalentPen, after a cybersecurity research official discovered an unsecured AWS S3 data storage bucket on July 20.
It was Chris Vickery, Directory of Cyber Risk Research, who initially discovered this unsecured stash of sensitive information. The leak was finally closed up on Aug. 24, and it's just now that UpGuard is in the clear to disclose the incident to the public, which they did in a breach report updated on Sunday, Sep. 2.
Meanwhile, resumes of U.S.military veterans applying for positions in TigerSwan were left accessible to the public in the intervening days. These files went into detail about their past duties, which, in some cases, involved high-profile intelligence roles in the U.S. military.
These details also came with personal information about these veterans, such as home addresses, work history, email addresses, and phone numbers.
Some of them also happened to include even more sensitive government information like Social Security numbers, driver's license details, security clearances and passport numbers.
TigerSwan told UpGuard that these files were left out there in AWS for the public internet to see by a recruitment vendor. TalentPen reportedly left these sensitive resumes on a cloud storage, unsecured, potentially putting these job applicants at a huge risk.
There are even resumes from Iraqi and Afghan nationals who helped U.S. forces and agencies from their home countries. With their personal details exposed, these cooperating foreign nationals could be in real danger.
"We take information security very seriously, especially in this instance, because a majority of the resume files were from veterans," TigerSwan said in their statement on Sep. 2.
"As a part of the rectification effort, if you voluntarily filled out a resume form on our website between 2008 and 2017, please call the following hotline number to see if your resume included any personally identifiable information: 919-274-9717," the press release continued.