Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thousands of Job Applicants Citing Top Secret US Government Work Exposed In Amazon Server Data Breach (gizmodo.com)

Posted by BeauHD on from the not-fully-realized dept.

According to Gizmodo, "Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year." From the report: The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants. "At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume."

Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances -- a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.

5 of 115 comments (clear)

  1. you're responsible for your vendors by doctorvo · · Score: 5, Insightful

    "At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants."

    You're responsible for your vendors, doubly so since assessing security of others is your business.

    In a sane universe, the founders and owners of TigerSwan would be sued for every dime they have and be barred in perpetuity from all government contracts. In reality, this will get papered over using lame excuses, and Democrats and Republicans will continue to unite in institutionalized corruption and cronyism, in particular in favor of ex-military and ex-government employees.

  2. Why the hell is this even possible? by mhkohne · · Score: 5, Insightful

    Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it? That's just kinda stupid.

    And yea, TigerSwan: You were freaking responsible for the data. You might not directly employ the guy who screwed up, but your contractors are YOUR problem. The fact that you obviously DIDN'T control your contractors properly indicates that you probably aren't the right guys for the job.

    --
    A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
  3. Just for the record... by edibobb · · Score: 4, Informative

    Amazon is not the one responsible for this. It's the idiot who didn't bother to secure the data. Amazon just gets attention in the headline.

  4. 'Unsecured' ... not 'Insecure' by ClickOnThis · · Score: 5, Insightful

    Every time I hear the phrase 'insecure document' I die a little ... of laughter.

    An insecure document is a document that is harbouring feelings of self-doubt. 'Am I really a document? Do people like to read me? Does this file format make me look fat?'

    Folks, it's unsecured, not insecure. Yeah I know, it's probably too late to change this. But I just need to say it. There, I feel better now.

    --
    If it weren't for deadlines, nothing would be late.
  5. Predictable from outsourcing by McLae · · Score: 4, Interesting
    No company does what they are paid to do these days. It is outsourced to a company that outsources security that outsources to some fat kid laying in bed. Who hires an Indian in Mumbai to do the actual work. No surprise that something like accountability gets lost.

    And all to pretend to improve the bottom line.