Security lapse exposed thousands of military contractor files

The personal info of Americans with Top Secret clearance were left in a public server.

PA Archive/PA Images

Thousands of files containing the private info of US military and intelligence personnel have been exposed online. The documents (which included a mixture of resumes and job applications) were found on a public Amazon Web Services server by cybersecurity firm UpGuard. A research analyst for the company traced the files back to a North Carolina-based private security firm known as TigerSwan. In a statement on Saturday, TigerSwan blamed the lapse on TalentPen, a third-party recruiting vendor.

The roughly 9,400 files contain the personal details of TigerSwan's prospective employees, some of who had applied for work as far back as 2008. The documents include info such as an applicant's home address, phone number, email address, driver's license, passport and social security numbers.

They also reveal sensitive details about individuals who were (and may still be) employed by the US Department of Defence, and US intelligence agencies. Others who may have been exposed include several Iraqi and Afghani nationals (who worked as translators for US and Coalition forces), a former UN worker in the Middle East, and a former US ambassador to Indonesia. TigerSwan insists the documents were not leaked as part of a data breach.

Many of the timestamped files seem to have been uploaded to the public server in February. They were left there, available for anyone to download, for at least several months. In July, UpGuard's director of cyber risk research Chris Vickery discovered the files and alerted TigerSwan to them. However, as the server did not belong to the private security firm, it took almost an additional month before it was shut down on August 24. TigerSwan confirmed this timeline of events.

According to the statement, TalentPen set up a secure site to transfer the resumes to the TigerSwan sever, following the closure of its contract. The private security firm learned that its former vendor had used a bucket site on Amazon Web Services for this process. But, TalentPen apparently failed to delete the documents after TigerSwan's log-in details expired.

"Since we did not control or have access to this site, we were not aware that these documents were still on the web, much less, were publicly facing," TigerSwan said. "The resume files in question have now been properly secured and no additional risk of exposure exists."