A private security firm left the personal info of U.S. citizens with Top Secret security clearance vulnerable to leaking by failing to secure an Amazon cloud server with a password.
Gizmodo reports that the North Carolina-based security firm TigerSwan may be responsible for the leak of thousands of files containing the personal information of U.S. citizens with high-level security clearances. The security firm reportedly left documents containing the personal information on an unsecured Amazon server, leaving the data vulnerable for the past year.
The security firm has however pointed to a third party vendor, TalentPen, as the source of the data breach. “At no time was there ever a data breach of any TigerSwan server,” said TigerSwan. “All resume files in TigerSwan’s possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume.”
Gizmodo reports that TalentPen did not respond to request for comment and that TigerSwan refused to provide any proof of TalentPen’s wrongdoing in the breach. Approximately 9,400 documents were stored on the unsecured Amazon server which could be accessed without a password. The documents contained personal information on thousands of individuals who previously or currently work at the US Department of Defense and within the intelligence community. Other documents available on the server included information about Iraqi and Afghan nationals who cooperated with U.S. military forces in their home countries.
The files were discovered in a folder labeled “resumes” by a security analyst at California-based security company UpGuard this summer. Many of the files in the folder contained the personal information of U.S. citizens with Top Secret security clearance, some of the files were time-stamped indicating that they were uploaded sometime in mid-February.
UpGuard said in a statement, “A cursory examination of some of the exposed resumes indicates not merely the varied and elite caliber of many of the applicants as experienced intelligence and military figures, but sensitive, identifying personal details.” Due to the number of resumes involved, the scope of the data breach has not yet been fully determined but may have severe consequences. Some of the applicants were reportedly involved in extremely sensitive and highly-classified military operations.
“We take information security very seriously, especially in this instance, because a majority of the resume files were from veterans. As a Service-Disabled, Veteran-Owned Small Business, we find the potential exposure of their resumes inexcusable. To our colleagues and fellow veterans, we apologize. The situation is rectified and we have initiated steps to inform the individuals affected by this breach,” said Jim Reese, the TigerSwan CEO, in a statement on their website.
TigerSwan also urged anyone that applied to work at the firm between 2007 and 2017 to contact the company directly to determine whether or not their personal information had been left vulnerable.