A database containing the personal details of thousands of US military vets, including some with top secret government security clearance, has been exposed to the public internet, UpGuard has revealed.
The security vendor’s director of cyber risk research, Chris Vickery, discovered the files in a misconfigured AWS S3 data storage bucket located at the subdomain 'tigerswanresumes'.
TigerSwan is a North Carolina-based private security firm which hires former servicemen and women, law enforcers and the like.
Most worryingly, despite being contacted by UpGuard about the privacy snafu, the firm failed to secure the details for another month, meaning they remained exposed to the public internet, according to cyber resilience analyst, Dan O’Sullivan.
The firm told UpGuard that the error was originally made by a third-party recruitment partner, which accounts for the large numbers of CVs and job application documents.
“The exposed documents belong almost exclusively to US military veterans, providing a high level of detail about their past duties, including elite or sensitive defense and intelligence roles. They include information typically found on resumes, such as applicants’ home addresses, phone numbers, work history, and email addresses,” explained O’Sullivan.
“Many, however, also list more sensitive information, such as security clearances, driver’s license numbers, passport numbers and at least partial Social Security numbers. Most troubling is the presence of resumes from Iraqi and Afghan nationals who cooperated with US forces, contractors, and government agencies in their home countries, and who may be endangered by the disclosure of their personal details.”
In total, the researchers found 9402 highly sensitive documents inside a folder marked 'Resumes', including information on four Iraqi and four Afghan nationals who worked for US and Coalition forces in their respective countries.
The discovery highlights an increasingly common and highly preventable insider threat which betrays a lack of training and major internal process failures.
In July, Verizon admitted a similar error when data on at least six million customers was exposed in a misconfigured S3 bucket by third party partner Nice Systems.