Latest in Gear

Image credit: PA Archive/PA Images

Security lapse exposed thousands of military contractor files

The personal info of Americans with Top Secret clearance were left in a public server.
725 Shares
Share
Tweet
Share
Save

Sponsored Links

PA Archive/PA Images

Thousands of files containing the private info of US military and intelligence personnel have been exposed online. The documents (which included a mixture of resumes and job applications) were found on a public Amazon Web Services server by cybersecurity firm UpGuard. A research analyst for the company traced the files back to a North Carolina-based private security firm known as TigerSwan. In a statement on Saturday, TigerSwan blamed the lapse on TalentPen, a third-party recruiting vendor.

The roughly 9,400 files contain the personal details of TigerSwan's prospective employees, some of who had applied for work as far back as 2008. The documents include info such as an applicant's home address, phone number, email address, driver's license, passport and social security numbers.

They also reveal sensitive details about individuals who were (and may still be) employed by the US Department of Defence, and US intelligence agencies. Others who may have been exposed include several Iraqi and Afghani nationals (who worked as translators for US and Coalition forces), a former UN worker in the Middle East, and a former US ambassador to Indonesia. TigerSwan insists the documents were not leaked as part of a data breach.

Many of the timestamped files seem to have been uploaded to the public server in February. They were left there, available for anyone to download, for at least several months. In July, UpGuard's director of cyber risk research Chris Vickery discovered the files and alerted TigerSwan to them. However, as the server did not belong to the private security firm, it took almost an additional month before it was shut down on August 24. TigerSwan confirmed this timeline of events.

According to the statement, TalentPen set up a secure site to transfer the resumes to the TigerSwan sever, following the closure of its contract. The private security firm learned that its former vendor had used a bucket site on Amazon Web Services for this process. But, TalentPen apparently failed to delete the documents after TigerSwan's log-in details expired.

"Since we did not control or have access to this site, we were not aware that these documents were still on the web, much less, were publicly facing," TigerSwan said. "The resume files in question have now been properly secured and no additional risk of exposure exists."

Via: UpGuard
Source: TigerSwan
Coverage: The Hill, Gizmodo
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
725 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Disney+ public pre-orders are open, but without deep bundle discounts

Disney+ public pre-orders are open, but without deep bundle discounts

View
Facebook's Libra currency will get half its backing from the US dollar

Facebook's Libra currency will get half its backing from the US dollar

View
AMD delays 16-core Ryzen 9 CPU to November

AMD delays 16-core Ryzen 9 CPU to November

View
Erica's modular synth helps you make music with preset cards

Erica's modular synth helps you make music with preset cards

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr