[BreachExchange] TigerSwan data leak: Thousands of military and intelligence personnel files exposed in cloud storage error

[Destry Winant]

http://www.ibtimes.co.uk/tigerswan-data-leak-thousands-military-intelligence-personnel-files-exposed-cloud-storage-error-1637804

US military contractor and international security firm TigerSwan has
confirmed that thousands of files containing sensitive, personal
information of US military and intelligence personnel were
inadvertently exposed online on an unsecured Amazon server. Chris
Vickery, a researcher at security firm Upguard, discovered the Amazon
Web Services S3 storage bucket that was accidentally configured for
public access in July, which means any person with the correct IRL
could access the data.

The exposed repository contained 9,402 documents dating back to 2009
that listed the personal details of thousands of job applicants,
hundreds of which claimed "Top Secret" US government security
clearances.

The documents included a "high level of detail" about veterans' past
duties as well as applicants' home addresses, phone numbers, email
addresses and work history. Many resumes also listed information such
as security clearances, driver's licence numbers, passport numbers and
at least partial Social Security numbers.

Among the individuals exposed were a former United Nations worker in
the Middle East, an active Secret Service agent, a parliamentary
security officer in Eastern Europe, a Central African logistical
expert and an ex-soldier that provided security to TV news crews in
war zones, the security firm said in a blog post.

Other victims included a soldier who was tasked with the logistics of
the Abu Ghraib warehouse, a commando who took part in the initial 2001
invasion of Afghanistan, service members at Guantanamo Bay Naval Base
and an Army officer who was tasked with finding WMDs in post-invasion
Iraq.

Other documents included the personal details of Iraqi and Afghan
nationals who cooperated with US military forces and government
agencies in their home countries.

"While most of the applicants are American military veterans, every
continent appears to be represented in the pool, with some applicants
coming from a civilian background," UpGuard said. "On the resumes of
several foreign applicants, many also listed their passport numbers in
the resumes - a detail of potential interest amidst the burgeoning
black market in Eurasia for fraudulent passports."

Although the files were discovered on 20 July, they were not taken
down until 24 August.

In a statement on Saturday (2 September), TigerSwan said the database
of resumes was managed by a third-party vendor TalentPen. After the
company terminated its contract with TalentPen in February 2017, the
latter set up a secure website to transfer the resume files over to
TigerSwan's secure server.

TigerSwan downloaded the files on 8 February and notified TalentPen
that the procedure was completed. The files, however, were never taken
down and were allowed to remain in the publicly accessible data bucket
until August.

The company also admitted that Vickery notified them about a potential
data breach on 21 July. However, after reviewing their existing
systems and finding no evidence of a breach, they dismissed his email
as a "potential phishing scam". A call from Vickery the next day was
also "not considered credible".

UpGuard said TigerSwan told Vickery that they were working with Amazon
to secure the data during a phone call on 22 July. They eventually
contacted Amazon Web Services about the issue in August which had
TalentPen remove the files.

"Since we did not control or have access to this site, we were not
aware that these documents were still on the web, much less, were
publicly facing," TigerSwan said in a statement. "TalentPen never
volunteered this information about their actions to us and only
admitted it when we reached out to them after talking to Upguard on
August 31, over a week after they secretly removed the resume files."

TigerSwan said the resume files have now been secured with no
additional risk of exposure, but did not specify how many people were
impacted in the breach. It also noted that there was never a breach of
any of its own servers.

"We take seriously the failure of TalentPen to ensure the security of
this information and regret any inconvenience or exposure our former
recruiting vendor may have caused these applicants. TigerSwan is
currently exploring all recourse and options available to us and those
who submitted a resume," the company said.

It has encouraged any applicants who submitted their resume during its
contract with TalentPen - between 2008 and February 2017 - to contact
them to check if any personally identifiable information was left
vulnerable in the exposure.

"We take information security very seriously, especially in this
instance, because a majority of the resume files were from veterans,"
TigerSwan CEO Jim Reese said in a statement. "As a Service-Disabled,
Veteran-Owned Small Business, we find the potential exposure of their
resumes inexcusable. To our colleagues and fellow veterans, we
apologise.

"The situation is rectified and we have initiated steps to inform the
individuals affected by this breach."