The data breach that exposed the data of high-level US security clearance workers was discovered by Chris Vickery, director of cyber risk research at the California-based security firm UpGuard.
He found the cache of around 9,400 job application files on an unsecure Amazon Web Services S3 storage server that required no password to access.
The documents include details of about the past duties and responsibilities of thousands of individuals who were and might still be employed by the US Department of Defense and other agencies in the US intelligence community.
>See also: Don’t play the data breach blame game
The information includes social security numbers, driver’s license and passport numbers, home addresses and other contact details. This represents a significant security failing.
TigerSwan, a US-based private security firm has implicated TalentPen, a third-party vendor apparently used by the company to process new job applicants.
“[We] learned that our former recruiting vendor TalentPen used a bucket site on Amazon Web Services for the transfer of resumes to our secure server but never deleted them after our login credentials expired,” the TigerSwan statement said.
“Since we did not control or have access to this site, we were not aware that these documents were still on the web, much less, were publicly facing.”
UpGuard found that hundreds that the exposed files also included of the CVs of those with Top Secret US security clearance, while some of the documents revealed details about Iraqi and Afghan nationals who cooperated with US forces. Indeed, some of those exposed by this data breach were involved in highly classified military operations.
One applicant claimed he had a role in the transportation of nuclear weapon activation codes and weapon components.
UpGuard said it was “troubled”, because the hugely sensitive files had remained accessible for month after it alerted TigerSwan about the leak.
>See also: 7 key lessons from TalkTalk’s data breach
Commenting on the news is Javvad Malik, security advocate at AlienVault, who said: “Massive breaches through unsecured AWS S3 buckets continues to be a troubling trend. While cloud providers take care of certain aspects of security, it is imperative that organisations ensure they are doing their part to ensure the security of data that is uploaded. As with other aspects of security, cloud environments need to be continually monitored and the security assessed. Otherwise organisations have no assurance as to whether the data is secure or not, and in this case, can be left exposed for long periods of time.”
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here