Sensitive details, including security clearance levels and past operations, about thousands of U.S. veterans were left publicly available by the misconfigured cloud storage of a private security firm.
Cybersecurity firm UpGuard discovered 9,402 resumes for positions at North Carolina-based TigerSwan, a service-disabled veteran owned company that provides a variety of global security services. TigerSwan has worked as a Defense and Homeland Security department contractor and faces a lawsuit over its role surveilling the Standing Rock protests against the Dakota Access Pipeline.
Most of the resumes include details about U.S. military veterans, but also intelligence officers, government contractors, law enforcement and some Iraqi and Afghan nationals who worked as translators for coalition forces. Details include the kind of contact information expected on a resume, but others feature passport numbers, Social Security numbers and driver’s license numbers, UpGuard said.
UpGuard said it notified TigerSwan about the leak in July and multiple times after. TigerSwan said in a Sept. 2 statement that UpGuard’s initial contacts seemed like phishing attempts and “not considered credible” because TigerSwan didn’t use Amazon Web Services. The files remained unsecure for a month until UpGuard contacted AWS and the AWS client removed them in late August.
TigerSwan reached back out to UpGuard when reporters started calling. TigerSwan said the AWS bucket had been operated by a recruiting services provider, TalentPen, whose contract it had terminated in February.
“TalentPen never volunteered this information about their actions to us and only admitted it when we reached out to them after talking to Upguard on August 31st, over a week after they secretly removed the resume files,” the company said.
In recent months, UpGuard has discovered several unsecure AWS buckets, including at Verizon and the data analytics firms used by the Republican National Committee, exposing the data of 6 million Verizon customers and almost 200 million voters, respectively.