Researchers reported that thousands of U.S. veterans, law enforcement officers, and intelligence personnel had their personal data exposed in an unsecure Amazon Simple Storage Service (S3) bucket.
In recent months, it has been alarmingly common to find wide-open S3 buckets that contain personally identifiable information. Amazon Web Services (AWS), eventually, prompted to remind its users to block public and private access to their storage buckets.
Security software firm UpGuard reported the latest incident on Sept. 2. This is the same company that earlier this year discovered misconfigured S3 buckets containing information on Verizon account holders, Dow Jones customers, and, on two occasions, U.S. citizens.
According to UpGuard’s reports, the S3 bucket contained thousands of resumes that were submitted electronically by job seekers to TigerSwan, a third-party recruiter services provider. These resumes were uploaded between 2008 and February 2017 and covered the entire duration of TigerSwan’s contract. They were located in an AWS bucket called “tigerswanresumes” in an AWS subdomain.
The data exposed included home addresses, phone numbers, employment histories, passport numbers, driver’s licence numbers, and Social Security numbers. This S3 bucket misconfiguration was different than previous ones. It also exposed sensitive information due to the backgrounds and security clearances of the individuals affected. These included U.S. military veterans, intelligence personnel, and others with high-level security clearances. UpGuard identified former United Nations workers, law-enforcement officers, veterans of Afghanistan, Iraq, and foreign translators as the people whose resumes were at risk.
UpGuard first emailed TigerSwan about the exposed files on July 21st, but they were not taken down until August 24, after many back-and-forth correspondences involving UpGuard and TigerSwan, TalentPen, AWS, and AWS. TigerSwan, which confirmed UpGuard’s report in its own statement attributed the long delay to confusion over whether UpGuard’s initial email was legitimate or “a possible phishing scheme.”
TigerSwan claimed that it wasn’t aware that the TalentPen-managed S3 bucket was online and accessible to all even though its contract had been terminated. TigerSwan claims that the bucket was initially created by TalentPen in February to transfer resume files to TigerSwan’s secure server.
TalentPen created a secure site for the transfer of resume files to TigerSwan’s secure servers to close our account. The site was protected by a 20-character user ID and a 256 bit secret access key. It had a short lifespan, from February 6th through February 10th,” TigerSwan stated in its statement. “TigerSwan downloaded files to our secure server in February 8th. We notified TalentPen that the download was complete and initiated their process to delete the files.
The files were not deleted, however, until UpGuard reached AWS directly about a month following their initial discovery.
TigerSwan stated that they did not have access to the site and could not control it.
Many of the S3 misconfigurations found in recent months involved third-party vendors. UpGuard identified this as a common weakness in many organizations’ security environment. “When an enterprise has a highly secure and resilient IT toolchain, but outsources the task of handling sensitive or valuable data and does not have such well-designed processes and systems it will still be the hiring enterprise that pays most.”