Latest in Gear

Image credit:

Security lapse exposed thousands of military contractor files

The personal info of Americans with Top Secret clearance were left in a public server.
Saqib Shah, @eightiethmnt
September 4, 2017
Share
Tweet
Share

Sponsored Links

PA Archive/PA Images

Thousands of files containing the private info of US military and intelligence personnel have been exposed online. The documents (which included a mixture of resumes and job applications) were found on a public Amazon Web Services server by cybersecurity firm UpGuard. A research analyst for the company traced the files back to a North Carolina-based private security firm known as TigerSwan. In a statement on Saturday, TigerSwan blamed the lapse on TalentPen, a third-party recruiting vendor.

The roughly 9,400 files contain the personal details of TigerSwan's prospective employees, some of who had applied for work as far back as 2008. The documents include info such as an applicant's home address, phone number, email address, driver's license, passport and social security numbers.

They also reveal sensitive details about individuals who were (and may still be) employed by the US Department of Defence, and US intelligence agencies. Others who may have been exposed include several Iraqi and Afghani nationals (who worked as translators for US and Coalition forces), a former UN worker in the Middle East, and a former US ambassador to Indonesia. TigerSwan insists the documents were not leaked as part of a data breach.

Many of the timestamped files seem to have been uploaded to the public server in February. They were left there, available for anyone to download, for at least several months. In July, UpGuard's director of cyber risk research Chris Vickery discovered the files and alerted TigerSwan to them. However, as the server did not belong to the private security firm, it took almost an additional month before it was shut down on August 24. TigerSwan confirmed this timeline of events.

According to the statement, TalentPen set up a secure site to transfer the resumes to the TigerSwan sever, following the closure of its contract. The private security firm learned that its former vendor had used a bucket site on Amazon Web Services for this process. But, TalentPen apparently failed to delete the documents after TigerSwan's log-in details expired.

"Since we did not control or have access to this site, we were not aware that these documents were still on the web, much less, were publicly facing," TigerSwan said. "The resume files in question have now been properly secured and no additional risk of exposure exists."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Live PlayStation 5 photos reveal a truly giant console

Live PlayStation 5 photos reveal a truly giant console

View
Microsoft releases a final preview for Windows 10's October update

Microsoft releases a final preview for Windows 10's October update

View
Verizon's $30 Unlimited Plus tablet plan offers 5G access

Verizon's $30 Unlimited Plus tablet plan offers 5G access

View
Sony apologizes for botched PlayStation 5 pre-orders

Sony apologizes for botched PlayStation 5 pre-orders

View
Canadian police charged a Tesla owner for sleeping while driving

Canadian police charged a Tesla owner for sleeping while driving

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr