US files that contain personal information of military and intelligence personnel were exposed for public download for more than a year on a misconfigured cloud server.
However, it was discovered earlier this year. Chris Vickery, director of cyber risk research at the California-based security firm UpGuard, discovered the cache of around 9,400 job application files on an unsecure Amazon Web Services S3 storage server that required no password to access..
“Typically, this is the result of misconfigured security settings. I hope we were the only people to find them,” he was quoted as saying by The Hill Saturday.
The files were resumes mostly came from military members, but also included intelligence veterans, a police chief and a United Nations worker in the Middle East. The files included personal contact information, such as addresses, phone numbers and private email addresses.
Some applicants in the database were involved in very sensitive and highly-classified military operations. At least one applicant claimed that he was charged with the transportation of nuclear activation codes and weapons components.
Even though the files were found out in July they were not taken down until the end of August due to confusion over the source of the resumes.
The files were from job applications to TigerSwan, a North Carolina-based private security firm, and date back to 2009. TigerSwan accused Saturday, a third-party recruitment firm ‘TalentPen’ that worked for the company during the timeframe in focus.
In February, when TigerSwan canceled its contract with TalentPen, TigerSwan claims the recruiter used Amazon cloud services to transfer the resumes it had amassed to TigerSwan.
"TalentPen never notified us of their negligence with the resume files nor that they only recently removed the files," TigerSwan said in a statement.
The transfer was conducted using high-end encryption and TalentPen was supposed to immediately delete the files, TigerSwan said. But the files remained on the site and due to an apparent security setting misconfiguration, those files were not encrypted.
TigerSwan is encouraging any applicants for positions who submitted resumes during its contract with TalentPen to contact the company to check if any personally identifiable information was left vulnerable.