Leaky S3 bucket sloshes deets of thousands with US security clearance
Bunch of resumés citing secret government work exposed
Thousands of files containing the personal information of US citizens with classified security clearance have been exposed by an unsecured Amazon server.
The sensitive information of an estimated 9,400 job seekers, mostly military veterans, was stored on an Amazon Web Services S3 storage server that required no password to access. The details were held by third-party recruitment company TalentPen, who in turn were hired by TigerSwan, a North Carolina-based security firm. Many of the job seekers cited secret US government work.
Cyber resilience company Upguard discovered and reported the resumé file breach to TigerSwan, which after investigation confirmed the problem. In a statement, TigerSwan apologised and said it was in the process of notifying those whose files were exposed. TigerSwan blamed TalentPen for the whole snafu.
TigerSwan also provided Gizmodo with emails confirming the third-party recruitment firm in question had been "dissolved".
It is our understanding that Amazon Web Services informed TalentPen of this issue sometime in August, resulting in TalentPen removing the resumé files on August 24. TalentPen never notified us of their negligence with the resume files nor that they only recently removed the files. It was only when we reached out to them with the information on August 31 did they acknowledge their actions.
Rich Campagna, chief exec at Bitglass, said AWS leaks are a growing problem largely as a result of human error.
"In the last few months, we've seen a string of high-profile data incidents of this nature, including Deep Root Analytics, Verizon Wireless and Dow Jones," Campagna said. "These exposures are difficult to stop because they originate from human error, not malice."
Amazon recently introduced Macie, a sort of "data loss prevention bot", to discover, classify and protect sensitive data in AWS S3. "Organisations using IaaS must leverage at least some of the security technologies available to them, either from public cloud providers, IDaaS providers, or CASBs, which provide visibility and control over cloud services like AWS," Campagna concluded.
Thomas Fischer, global security advocate at Digital Guardian, said: "This incident could likely have been avoided if TigerSwan had an effective security policy review process in place and was integrating third parties into this methodology. Outsourcing to new technology partners does not mean that you no longer need stringent security initiatives. In fact, it actually means you need to put into place a stronger set of controls."
Javvad Malik, security advocate at AlienVault, added: "Massive breaches through unsecured AWS S3 buckets continue to be a troubling trend. While cloud providers take care of certain aspects of security, it is imperative that organisations ensure they are doing their part to ensure the security of data that is uploaded. As with other aspects of security, cloud environments need to be continually monitored and the security assessed. Otherwise organisations have no assurance as to whether the data is secure or not, and in this case, can be left exposed for long periods of time." ®