Military Contractor’s Vendor Leaks Resumes in Misconfigured AWS S3


Thousands of resumes and job applications containing the personal information of U.S. veterans, many with top secret clearances, and law enforcement officers were left exposed in an Amazon Web Services S3 bucket, continuing a trend where poorly configured cloud-storage services are putting people at risk.

The applicants were seeking employment with a private military contractor from North Carolina called TigerSwan, which blames a third-party recruiting vendor, TalentPen LLC, for the leak. Researchers from UpGuard Inc., which recently found all of Chicago’s voter rolls similarly available on AWS, notified TigerSwan of the leak in July. The data remained publicly accessible until Aug. 24, UpGuard said.

“TalentPen never notified us of their negligence with the resume files nor that they only recently removed the files. It was only when we reached out to them with the information on August 31st did they acknowledge their actions,” TigerSwan said in a statement. “In our conversation with Upguard, they acknowledged that this 3rdparty vendor did not act correctly. We have reached out to Amazon Web Services directly to learn everything we can.”

TigerSwan has established a phone number, 919-274-9717, where anyone who sent a resume between 2008 and this year can call for more information.

TigerSwan said it terminated its relationship with TalentPen in February and began at that time to transfer the files to a secure server owned by TigerSwan.

“TigerSwan downloaded the files to our secure server on February 8th,” TigerSwan said. “In accordance with TalentPen’s procedure, we notified them that the download was complete, initiating their process to remove the files.”

UpGuard’s Chris Vickery, a researcher responsible for discovering a number of similar leaks and a rash of password dumps in 2016, notified TigerSwan on July 21, but an email and follow-up phone call were not considered credible. TigerSwan found no breach of its systems, nor did it have a cloud repository, therefore suspected this might be a phishing email.

Read more…

Source: ThreatPost