Military Vet Data Exposed In The Latest Data Leak Involving Unsecured AWS Storage Buckets

Printer-friendly version Email this CRN article

Another in a series of data leaks involving AWS storage was reported over the weekend, this time exposing personal information about veterans and the sensitive work they did for the U.S. military.

About a month and a half after AWS warned customers to secure their storage buckets, UpGuard, the security firm that's discovered many eye-opening data protection failures of late, published the report about publicly accessible resumes and job applications submitted to TigerSwan.

The security researcher's Cyber Risk Team found thousands of documents from veterans looking for work with the North Carolina-based private security firm sitting in an AWS S3 bucket that could have been accessed by anyone who stumbled upon the company's URL.

[Related: AWS Introduces Intelligent Security And Integrated Cloud Migration Capabilities At New York Summit]

Among the military veterans exposed to risk, hundreds claimed Top Secret security clearances, according to UpGuard.  

TigerSwan has blamed a recruiting company called TalentPen that it said it stopped using in February.

UpGuard found the exposed S3 bucket on July 20, and warned TigerSwan the next day. The researchers checked in again on August 10 after seeing the same data was still unsecured. The bucket wasn't locked down for another two weeks.

"If that vendor was responsible for storing the resumes on an unsecured cloud repository, the incident again underscores the importance of qualifying the security practices of vendors who are handling sensitive information," UpGuard wrote.

The veterans who were exposed submitted information about their past military duties, some including sensitive details of their overseas deployments, as well as all the typical items to be found on a resume: addresses, phone numbers, email addresses, driver's licenses.

Also exposed for months were resumes of Iraqi and Afghan citizens who helped the United States in their home countries.

David Klee, founder and chief architect at Heraflux Technologies, an AWS partner based in Scarborough, Maine, told CRN that blame for the breach falls solely on the administrator who created the AWS bucket.

Printer-friendly version Email this CRN article