The resumes and personal information of thousands of United States military veterans—including some claiming to have “Top Secret” government security clearances—were left exposed in an unsecured data repository.

The repository contained 9,402 documents, most of which were resumes of applicants seeking positions at international security firm and U.S. military contractor TigerSwan, though the database was controlled and maintained by third-party recruiting vendor, TalentPen.

The unsecured repository, an Amazon Web Services S3 data storage bucket, was discovered by Chris Vickery, the director of cyber risk research at cyber resilience company UpGuard. The repository was configured for public access, meaning any person aware of the domain could view the contents of the database—including the resumes, which were located a subdomain named “tigerswanresumes.”

The thousands of publicly accessible resumed included sensitive personal information and highly detailed records of service from defense and intelligence veterans. The applications often listed contact information including home addresses, phone numbers and email addresses.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

They also included work history, which often disclosed sensitive information such as driver’s license numbers, passport numbers, Social Security numbers and in some cases even security clearances. There were 295 applicants who claimed a “Top Secret/Sensitive Compartmented Information” clearance and one applicant with clearance above the top secret level.

Military officers were also exposed in the references of applicants. The contact information of a former U.S. ambassador to Indonesia and a former director of the CIA’s clandestine service were among those listed in resume references sections.

While many of the resumes came from U.S. military veterans, the repository also included applications from Iraqi and Afghan nationals who cooperated with U.S. forces, contractors and government agencies operating in their home countries.

Disclosure of personal details from foreign nationals who worked with U.S. forces may put those individuals at risk within their own countries. Such was the case with translators and interpreters who were promised U.S. visas in exchange for helping the U.S. military but did not receive them in a timely manner. Those vital contributors to military operations lived in fear of reprisal from opposing forces in their home countries.

The database contained at least four Iraqi and four Afghan nationals who worked with western forces or contractors. Most of those have since relocated from their home country according to UpGuard but could still be targeted in their current location or could have family members who are still at risk in their country of origin.

Vickery described the exposure of the information from defense and intelligence veterans as a potential national security risk, noting the reveal of contact information of individuals with high security clearances could allow an attacker to target those individuals in hopes of gaining access to sensitive information.

With little more than the person’s email address, an attacker could direct browser exploits or phishing campaigns at the individual in an effort to steal login credentials or other information. The reveal of personal details could allow a person to carry out a social engineering attack, posing as the person and gaining access to accounts that could further compromise their personal security and the security of others.

UpGuard’s Vickery first made the discovery of the database—which contained resumes dated between 2009 and 2016 and hadn’t been updated since February 2017—on July 20. The data storage bucket remained unsecured until August 24.

Vickery contacted TigerSwan via email on July 21 and via phone on July 22 to alert them of the exposure. According to UpGuard, TigerSwan claimed they were working with Amazon to secure the data on the July 22 call.

A statement published by TigerSwan on September 2 acknowledged the contact attempts made by Vickery in July but dismissed the email as a “potential phishing scam.” The defense contractor also said the call from Vickery the next day was “also not considered credible” and TigerSwan told UpGuard the situation was under control “in order to stop them from contacting us.”

While the database contained resumes of TigerSwan applicants, it was managed by third-party vendor TalentPen. The company was selected by TigerSwan for a services contract in 2008 and retained by the security firm through February 2017 when the contract with TalentPen was terminated.

According to TigerSwan, at the time of the contract’s termination, TalentPen set up a secure site to transfer resume files to TigerSwan’s secure server. TigerSwan downloaded the files on February 8th, and TalentPen was told to delete the files. It never did so, and the files were allowed to remain in the publicly accessible data bucket until August 24.

TalentPen was supposedly contacted by Amazon directly about the database in August and secured the repository but never disclosed to TigerSwan the exposure or the actions to secure the data until TigerSwan contacted the vendor on August 31.

The month of exposure after the initial discovery of the data bucket, along with the six months of additional exposure after the termination of TalentPen’s contract means the sensitive information sat unsecured and publicly accessible for more than half a year before any action was taken.

According to Vickery, there was no apparent cloud logging storage within the unsecured data bucket, meaning it is not clear if TalentPen would have any knowledge if the resumes or any other information was accessed by an outside source during that period—though Vickery suggested it wouldn’t be a surprise if someone had viewed the database in that time.

"If I can find it using my methods that are intentionally a little be slow and burdensome and manual...there have to be hundreds if not thousands of actual, malicious actors out there doing the exact same thing,” he said. “It's really not complicated."

TigerSwan insisted in its statement that no data breach of any of its server occurred and the information discovered in the exposed data bucket was not under the company’s control. TigerSwan has set up a hotline for those who submitted an application to the company between 2008 and 2017 who may have had sensitive information exposed.

“We take information security very seriously, especially in this instance, because a majority of

the resume files were from veterans. As a Service-Disabled, Veteran-Owned Small Business, we find the potential exposure of their resumes inexcusable. To our colleagues and fellow veterans, we apologize. The situation is rectified and we have initiated steps to inform the individuals affected by this breach,” Jim Reese, TigerSwan CEO, said in a statement.