Military Contractor’s Vendor Leaks Resumes in Misconfigured AWS S3

Thousands of resumes and job applications from U.S. military veterans, law enforcement, and others were leaked by a recruiting vendor in an unsecured AWS S3 bucket.

Thousands of resumes and job applications containing the personal information of U.S. veterans, many with top secret clearances, and law enforcement officers were left exposed in an Amazon Web Services S3 bucket, continuing a trend where poorly configured cloud-storage services are putting people at risk.

The applicants were seeking employment with a private military contractor from North Carolina called TigerSwan, which blames a third-party recruiting vendor, TalentPen LLC, for the leak. Researchers from UpGuard Inc., which recently found all of Chicago’s voter rolls similarly available on AWS, notified TigerSwan of the leak in July. The data remained publicly accessible until Aug. 24, UpGuard said.

“TalentPen never notified us of their negligence with the resume files nor that they only recently removed the files. It was only when we reached out to them with the information on August 31st did they acknowledge their actions,” TigerSwan said in a statement. “In our conversation with Upguard, they acknowledged that this 3rdparty vendor did not act correctly. We have reached out to Amazon Web Services directly to learn everything we can.”

TigerSwan has established a phone number, 919-274-9717, where anyone who sent a resume between 2008 and this year can call for more information.

TigerSwan said it terminated its relationship with TalentPen in February and began at that time to transfer the files to a secure server owned by TigerSwan.

“TigerSwan downloaded the files to our secure server on February 8th,” TigerSwan said. “In accordance with TalentPen’s procedure, we notified them that the download was complete, initiating their process to remove the files.”

UpGuard’s Chris Vickery, a researcher responsible for discovering a number of similar leaks and a rash of password dumps in 2016, notified TigerSwan on July 21, but an email and follow-up phone call were not considered credible. TigerSwan found no breach of its systems, nor did it have a cloud repository, therefore suspected this might be a phishing email.

“The reasons TigerSwan did not view the overtures from Upguard as credible was because his claim was inaccurate, it included a URL over which we had no knowledge or control, and contained a second URL that pointed to another, unknown website,” TigerSwan said. “Adding to our skepticism was the fact that this incident all happened during the same general timeframe as the increase in ransomware attacks.”

That changed last week when UpGuard went public with its findings, and TigerSwan soon realized that TalentPen had used an S3 bucket configured for public accessibility to transfer the resumes and personal data to TigerSwan and had never deleted the S3 instance. AWS S3 buckets are configured private by default, meaning that TalentPen changed that setting to public for some reason.

The data in the documents put the U.S. military veterans and all others in the leak at risk to identity theft and perhaps physical harm given the detail about their past duties, some of which included intelligence roles, UpGuard said. The documents also included resumes from Iraqis and Afghanis who worked alongside U.S. military, contractors and government agencies locally and may have been put at risk should their personal information been seen by others.

The documents included applicants’ home addresses, phone numbers, work history, and email addresses. More sensitive information was included in some others that included security clearances, driver’s license numbers, passport numbers and at least partial Social Security numbers, UpGuard said.

The TigerSwan documents were found in an AWS folder called “tigerswanresumes” that was last backed up, or uploaded, in February, UpGuard said. A folder called “Resumes” contained 9,402 documents of different file formats and no apparent naming convention.

“Among those other individuals exposed, the work histories detailed encompass a broad array of defense, intelligence, law enforcement, linguistic, and logistical professionals with diverse international experiences,” UpGuard said.

UpGuard said that more than 2,200 resumes mention “special forces,” while another 1,600 mention police experience in some capacity. Some of the vets worked in sensitive locations while in the service, including Abu Ghraib and  Guantanamo Bay.

“While most of the applicants are American military veterans, every continent appears to be represented in the pool, with some applicants coming from a civilian background,” UpGuard said. “On the resumes of several foreign applicants, many also listed their passport numbers in the resumes—a detail of potential interest amidst the burgeoning black market in Eurasia for fraudulent passports.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.