Updated on December 26, 2017 by Dan O'Sullivan
The UpGuard Cyber Risk Team can now disclose that a publicly accessible cloud-based data repository of resumes and applications for employment submitted for positions with TigerSwan, a North Carolina-based private security firm, were exposed to the public internet, revealing the sensitive personal details of thousands of job applicants, including hundreds claiming “Top Secret” US government security clearances. TigerSwan has recently told UpGuard that the resumes were left unsecured by a recruiting vendor that TigerSwan terminated in February 2017. If that vendor was responsible for storing the resumes on an unsecured cloud repository, the incident again underscores the importance of qualifying the security practices of vendors who are handling sensitive information.
The exposed documents belong almost exclusively to US military veterans, providing a high level of detail about their past duties, including elite or sensitive defense and intelligence roles. They include information typically found on resumes, such as applicants’ home addresses, phone numbers, work history, and email addresses. Many, however, also list more sensitive information, such as security clearances, driver’s license numbers, passport numbers and at least partial Social Security numbers. Most troubling is the presence of resumes from Iraqi and Afghan nationals who cooperated with US forces, contractors, and government agencies in their home countries, and who may be endangered by the disclosure of their personal details.
While the process errors and vendor practices that result in such cloud exposures are all too common in the digital landscape of 2017, the month-long period during which the files remained unsecured after UpGuard’s Cyber Risk Team notified TigerSwan is troubling.
On July 20th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3 data storage bucket configured for public access, located at the AWS subdomain “tigerswanresumes.” UpGuard notified TigerSwan of the exposure by email on July 21st and then followed up by phone and email again on July 22nd. During the phone engagement on July 22nd, TigerSwan told Mr. Vickery that they were working with Amazon to secure the data. Upguard placed a follow-up call to TigerSwan’s IT helpdesk on August 10 after observing that the resume files remained unsecured. During that conversation, a TigerSwan representative admitted to being unsure as to why the bucket remained exposed and vowed to bring it to the IT director’s attention. The files were not secured until August 24, 2017. TigerSwan subsequently told UpGuard that the files were left unsecured by a former recruiting vendor.
Within the repository, publicly accessible to any internet user accessing the S3 bucket’s URL, is a folder titled “Resumes,” last backed up or uploaded in February 2017. Inside this “Resumes” folder are 9,402 documents, in varying file formats and with no naming conventions employed for the file names. While this lack of uniformity perhaps indicates the documents were unchanged since being submitted by a large pool of applicants, the file names and contents leave no question as to the nature of the data— resumes and application forms submitted for positions with TigerSwan.
A cursory examination of some of the exposed resumes indicates not merely the varied and elite caliber of many of the applicants as experienced intelligence and military figures, but sensitive, identifying personal details. Applicant names, home addresses, phone numbers, email addresses, and driver’s license numbers are exposed throughout.
An example of some of the documents, information redacted by UpGuard.
Perhaps the gravest revelation is the presence in the repository of documents from at least 4 Iraqi and 4 Afghan nationals whose resumes detail work as translators or local workers for US and Coalition forces in their respective countries, as well as with western military contractors, international organizations, and domestic political agencies. While most of these individuals have relocated overseas from their home countries, organized violence has been threatened and sometimes visited against such workers by extremist groups, as well as against family members left behind.
Among those other individuals exposed, the work histories detailed encompass a broad array of defense, intelligence, law enforcement, linguistic, and logistical professionals with diverse international experiences. A former United Nations worker in the Middle East, a parliamentary security officer in Eastern Europe, an active Secret Service agent, a Central African logistical expert, an ex-soldier tasked with providing security in war zones for TV news crews, a police chief in a southern state - the people exposed in this leak span the globe. While most of the applicants are American military veterans, every continent appears to be represented in the pool, with some applicants coming from a civilian background. On the resumes of several foreign applicants, many also listed their passport numbers in the resumes - a detail of potential interest amidst the burgeoning black market in Eurasia for fraudulent passports.
Analysis of the contents of the resume files reveals the heavy presence of US law enforcement officers within the repository, from rural US sheriff’s deputies to Defense Intelligence Agency officers posted at government facilities; 1,671 resumes mention “police department” in some capacity. A significant portion of the exposed individuals in the repository are US military veterans: from a soldier tasked with the logistics of Abu Ghraib’s warehouse; to, for at least twenty exposed individuals, service at Guantanamo Bay Naval Base; to a commando participating in the initial 2001 invasion of Afghanistan; to an Army officer tasked not only with finding WMDs in post-invasion Iraq, but with escorting a major US journalist on the hunt; to military and police trainers in Iraq, Afghanistan, Georgia, Liberia, Ukraine, and the Democratic Republic of Congo - every military branch and virtually every imaginable professional background is represented. 2,448 resumes mention “Special Forces” in the document contents.
The battlegrounds of Iraq and Afghanistan recur throughout the repository, with 3,669 and 2,712 resumes mentioning each, respectively. A sizable number of these resumes mention service in these two flashpoints not just as US soldiers, but from other Coalition and NATO member states like Canada and the UK, as well as through private military contractors like DynCorp, Blackwater, Aegis, Kellogg Brown Root, Lockheed Martin, and Titan, among others. Common among many of these disparate applicants, however, are security clearances from government agencies, such as the Secret Service, Department of Defense, and the Department of Homeland Security; of these, 295 applicant resumes claim a “Top Secret/Sensitive Compartmented Information” clearance, one that permits access to highly sensitive classified information at and above the level of top secret.
Also of note is the exposure not only of applicant details, but also of those individuals listed as references in applicant resumes. Beyond the great many military officers exposed in this manner, this reporter found the contact information of a former US ambassador to Indonesia and of a former director of the CIA’s clandestine service, each listed in a resume’s references section.
This cloud leak illustrates once again the urgent responsibility of enterprises and the vendors that work for them to ensure the security of sensitive data against exposure via misconfiguration, an unforced error which requires no malicious actors or hacking for sensitive information to be exposed to the wider internet. By reconfiguring the Amazon S3 bucket’s secure default settings to allow anyone to view all of the resumes in the repository, the data becomes available to anyone accessing the repository’s web address.
Such cloud leaks can be as damaging as any hack, without the benefit of an external culprit for whom blame can be apportioned; the leak is the result of internal process failures that allow sensitive data to be exposed. Assuming that TigerSwan’s statement that the S3 bucket was owned and operated by a former third-party vendor is true, such a prospect once again raises the danger of third-party vendors as an unsafe and overlooked link in an enterprise’s IT environment. When an enterprise with a highly resilient and secure IT toolchain outsources the job of handling sensitive or valuable data to a government contractor third-party vendor lacking such well-designed processes and systems, it will nevertheless be the hiring enterprise that pays the biggest price. And of course, no third-party vendor is necessary for a cloud leak to take place.
The potential utility of the repository that was left unsecured here is multivaried. While criminals could use the deep knowledge of work experience and personal details for anything from identity theft to one of the phishing scams known to specifically target veterans, the value of this database to foreign intelligence agencies if they were to access it is not insignificant. The presence of extremist sympathizers in western nations makes the prospect of publicly exposed Iraqi and Afghan nationals that much more alarming. Given these risks, the month-long delay from when TigerSwan was notified about the exposure and the data ultimately being secured is especially unfortunate. A strong cyber resilience program should include the ability to respond quickly and with agility when exposure of sensitive information is discovered.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.