Thousands of files containing personal data on former military, intelligence and government workers have allegedly been exposed to public view for months in a massive security lapse allowed by a US-based recruitment firm.
Some 9,400 sensitive files were found unsecured on a misconfigured public-facing Amazon cloud server. They allegedly contained personal information on former military and intelligence staff, some with classified or Top Secret security clearances, who applied for work at US-based private security firm TigerSwan, according to Gizmodo.
The files, discovered by a researcher at the California-based cybersecurity company UpGuard, were found in a folder called “resumes.” It contained CVs of thousands of US citizens, some granted Top Secret security clearances, indicating they might have worked with the Central Intelligence Agency, the National Security Agency or the US Secret Service, among other government agencies.
“A cursory examination of some of the exposed resumes indicates not merely the varied and elite caliber of many of the applicants as experienced intelligence and military figures, but sensitive, identifying personal details,” UpGuard said in a statement cited by Gizmodo.
According to the Hill, the files also included resumes of a police chief and a UN employee specializing in the Middle East, as well as details about Iraqi and Afghan citizens who have cooperated and worked alongside US military in their countries.
Some of the people affected were apparently involved in a number of high-profile operations during their careers. Gizmodo wrote that at least one of the applicants claimed he was in charge of transportation of nuclear activation codes and weapons components.
One applicant said he worked as a “warden advisor” at the notorious Abu Ghraib detention site near Baghdad, describing his experience as “establishing safe and secure correctional facilities for the humane care, custody, and treatment of persons incarcerated in the Iraqi corrections system.”
The files, lying on an insecure Amazon S3 bucket, included personal contact information, such as addresses, phone numbers and private email accounts.
The data breach has been first attributed to TigerSwan, a North Carolina-based private security firm, but the company pointed to TalentPen, an outsourced vendor hired to process new job applicants.
“At no time was there ever a data breach of any TigerSwan server,” TigerSwan said.“All resume files in TigerSwan’s possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants.”
Founded in 2008 by Lt. Col. James Reese, a retired Delta Force operative, TigerSwan has operated as a US military and State Department contractor in Iraq and Afghanistan, as well as within the US on behalf of corporations.
Chris Vickery, an UpGuard analyst who discovered the lapse, said this was the result of misconfigured security settings. “I hope we were the only people to find them,” he told The Hill.
While the files were discovered in July, they were not removed from the cloud server until the end of August, the outlet wrote.