Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thousands of Job Applicants Citing Top Secret US Government Work Exposed In Amazon Server Data Breach (gizmodo.com)

Posted by BeauHD on from the not-fully-realized dept.

According to Gizmodo, "Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year." From the report: The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants. "At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume."

Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances -- a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.

14 of 115 comments (clear)

  1. regardless... by Anonymous Coward · · Score: 2, Insightful

    TigerSwan was negligent by outsourcing to a negligent vendor. If you want something done right, do it yourself.

    1. Re:regardless... by quonset · · Score: 2

      If you want something done right, do it yourself.

      You are so right. When revealing personal information, do it yourself.

  2. Security requires consequences by Anonymous Coward · · Score: 2, Insightful

    I have worked with programmers who are really smart, easily able to solve very tricky or complex problems, and yet also terribly sloppy when it came to security (prone to doing things like what someone at TalentPen allegedly did).

    Intelligence is simply not enough. Proper security also requires the right mindset and the will to get it right. Companies are happy whenever they can find anyone that can get stuff working, and management generally just assumes that these developers know what they are doing and are always thinking about security already. Which is patently false, especially during crunch time.

    Engineering proper security into products begins at the top; the execs must be serious about it, and they must be serious about building policies around it, screening candidates that can do it, hiring and utilizing auditors for it, etc.

    Without that level of focus from the top, security simply does not happen, no matter how smart the crew is.

  3. Not identity theft. by Anonymous Coward · · Score: 2, Insightful

    The OPM data breach lost all the shit anyway. It's a treasure trove for identity theft. Where did you go to high school, what was you mothers maiden name, what was you address 20 years ago? It's all in those SF171 forms.

    You're thinking too small. It's not about identity theft. It's about intelligence work and social engineering of people who are involved in national security. It's about recruiting new spies. It's about predicting and influencing policy. And with resumes, it's about understanding another country's secret projects so you can work against them.

    https://yro.slashdot.org/story...

  4. you're responsible for your vendors by doctorvo · · Score: 5, Insightful

    "At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants."

    You're responsible for your vendors, doubly so since assessing security of others is your business.

    In a sane universe, the founders and owners of TigerSwan would be sued for every dime they have and be barred in perpetuity from all government contracts. In reality, this will get papered over using lame excuses, and Democrats and Republicans will continue to unite in institutionalized corruption and cronyism, in particular in favor of ex-military and ex-government employees.

  5. Why the hell is this even possible? by mhkohne · · Score: 5, Insightful

    Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it? That's just kinda stupid.

    And yea, TigerSwan: You were freaking responsible for the data. You might not directly employ the guy who screwed up, but your contractors are YOUR problem. The fact that you obviously DIDN'T control your contractors properly indicates that you probably aren't the right guys for the job.

    --
    A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
    1. Re:Why the hell is this even possible? by phantomfive · · Score: 2

      Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it?

      Mostly for hosting web pages. People host their websites on AWS (obvously) and any static resources gets hosted in either S3 or a CDN.

      --
      "First they came for the slanderers and i said nothing."
  6. Just for the record... by edibobb · · Score: 4, Informative

    Amazon is not the one responsible for this. It's the idiot who didn't bother to secure the data. Amazon just gets attention in the headline.

    1. Re:Just for the record... by rudy_wayne · · Score: 2

      The company was of course responsible but so is also Amazon, they could have made it so that buckets that contain classified data can't be accessed without authorization.

      Someone mis-configured their bucket. Amazon has no way of knowing this or that the information is classified. Do you really think someone is going to tell them "Hey, we're putting a bunch of classified information on your servers, could you keep an eye on it for us?"

  7. Re:you should be happy about this by ShanghaiBill · · Score: 2

    All of you Wikileaks supporters should applaud the transparency created by this breach. If you dont, then you're a hypocrite

    I believe we should have more transparency. But that doesn't mean I have to believe everything should be transparent. The government needs to have some secrets. 99% of classified material shouldn't be classified, but the other 1% should be.

    Anyway, I don't see the big deal about this breach. I had a "top secret" clearance for more than a decade. The government hands them out like candy corn on Halloween, and you can just assume that any tech within 100km of the Beltway likely has one.

    During the 10+ years I did defense work, I don't think I ever saw anything that made me go "Wow, it would be really bad if the commies knew about this!" It was mostly mundane stuff.

  8. 'Unsecured' ... not 'Insecure' by ClickOnThis · · Score: 5, Insightful

    Every time I hear the phrase 'insecure document' I die a little ... of laughter.

    An insecure document is a document that is harbouring feelings of self-doubt. 'Am I really a document? Do people like to read me? Does this file format make me look fat?'

    Folks, it's unsecured, not insecure. Yeah I know, it's probably too late to change this. But I just need to say it. There, I feel better now.

    --
    If it weren't for deadlines, nothing would be late.
  9. Predictable from outsourcing by McLae · · Score: 4, Interesting
    No company does what they are paid to do these days. It is outsourced to a company that outsources security that outsources to some fat kid laying in bed. Who hires an Indian in Mumbai to do the actual work. No surprise that something like accountability gets lost.

    And all to pretend to improve the bottom line.

    1. Re:Predictable from outsourcing by swm · · Score: 2

      Hitler: (screaming at his generals) You outsourced our security to a vendor who's servers are in Leningrad?!?!
      -- from an EFF Downfall parody

  10. "Secret History of the KGB" by Mitrokhin by HBI · · Score: 2

    Read it. Understand that the US has always been easily penetrated at this level. We have no real security worth the name at the private sector contractor level.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.