Military Vet Data Exposed In The Latest Data Leak Involving Unsecured AWS Storage Buckets

Another in a series of data leaks involving AWS storage was reported over the weekend, this time exposing personal information about veterans and the sensitive work they did for the U.S. military.

About a month and a half after AWS warned customers to secure their storage buckets, UpGuard, the security firm that's discovered many eye-opening data protection failures of late, published the report about publicly accessible resumes and job applications submitted to TigerSwan.

The security researcher's Cyber Risk Team found thousands of documents from veterans looking for work with the North Carolina-based private security firm sitting in an AWS S3 bucket that could have been accessed by anyone who stumbled upon the company's URL.

[Related: AWS Introduces Intelligent Security And Integrated Cloud Migration Capabilities At New York Summit]

id
unit-1659132512259
type
Sponsored post

Among the military veterans exposed to risk, hundreds claimed Top Secret security clearances, according to UpGuard.

TigerSwan has blamed a recruiting company called TalentPen that it said it stopped using in February.

UpGuard found the exposed S3 bucket on July 20, and warned TigerSwan the next day. The researchers checked in again on August 10 after seeing the same data was still unsecured. The bucket wasn't locked down for another two weeks.

"If that vendor was responsible for storing the resumes on an unsecured cloud repository, the incident again underscores the importance of qualifying the security practices of vendors who are handling sensitive information," UpGuard wrote.

The veterans who were exposed submitted information about their past military duties, some including sensitive details of their overseas deployments, as well as all the typical items to be found on a resume: addresses, phone numbers, email addresses, driver's licenses.

Also exposed for months were resumes of Iraqi and Afghan citizens who helped the United States in their home countries.

David Klee, founder and chief architect at Heraflux Technologies, an AWS partner based in Scarborough, Maine, told CRN that blame for the breach falls solely on the administrator who created the AWS bucket.

"It was not secured, which is a cardinal sin for using AWS S3," Klee said. "No password was required to access the data, and hundreds of tools and sites are available that can scan and identify exposed buckets with very little knowledge required by the 'curious' third-party to access."

The series of data leaks over the last year represents a frightening trend, Klee said, since all those high-profile incidents were entirely preventable.

Partners can play a large role in ending the problem.

"These objects, just like any cloud and on-prem-based entities, need to be periodically scanned and reviewed for the security footprint, because if your organization does not find these vulnerabilities, someone else will, and you’re not going to like the results," Klee said.

Amazon recently warned users to avoid changing the default secured S3 settings unintentionally.

In July, the public cloud leader sent customers with unsecured buckets a letter advising them to evaluate their settings and ensure they were not improperly configured.

That email noted that for some use cases it's necessary and perfectly acceptable to not impose any controls, such as public websites or content intended to be downloadable by all who want it.

But recently "there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available," the email read.

An S3 bucket is just a cloud drive set up in an AWS region for object storage. Each bucket has its own Access Control List (ACL) by which users administer policies.

The AWS letter was sent a week after the public learned that Nice Systems, a customer engagement software vendor with a large security practice, exposed personal information from 14 million Verizon customers on an unsecured S3 drive.

A few days after the Verizon leak came to prominence it was revealed Dow Jones & Company, parent of The Wall Street Journal, allowed semi-public access to personal and financial data of 2.2. million customers.

Other recent incidents included a misconfigured database exposing 200 million voter records culled by the Republican National Committee and an unsecured WWE account that threatened the confidentiality of 3 million wrestling fans.