In the latest of a spate of data exposure incidents on Amazon S3 repositories, the PII of former military personnel was left vulnerable.
In the latest of a spate of data exposure incidents on Amazon S3 repositories, the PII of former military personnel was left vulnerable.

The resumes of about 6,000 former U.S. military personnel, many with top secret security clearance, were left exposed on an unsecured Amazon S3 server.

Security contractor TigerSwan has pinned the lapse on recruiting firm TalentPen that it used to process job applicants. The Amazon S3 was used to transfer documents from TalentPen to TigerSwan.

“We take information security very seriously, especially in this instance, because a majority of the resume files were from veterans,” TigerSwan CEO Jim Reese said in a statement. “As a Service-Disabled, Veteran-Owned Small Business, we find the potential exposure of their resumes inexcusable. To our colleagues and fellow veterans, we apologize. The situation is rectified and we have initiated steps to inform the individuals affected by this breach.”

The incident is the latest in a series of exposures on AWS S3 servers. "In the last few months, we've seen a string of high profile data incidents of this nature, including Deep Root Analytics, Verizon Wireless and Dow Jones,” said Bitglass CEO Rich Campagna. “These exposures are difficult to stop because they originate from human error, not malice. Just one wrong tick box in the cloud set-up process can put vast amounts of sensitive customer data at risk.”

Stressing that TigerSwan's server had not been breached and that “all resume files in TigerSwan's possession are secure,” the company said Amazon had notified TalentPen of the exposed information in August and that the firm removed the resume files on August 24.  “TalentPen never notified us of their negligence with the resume files nor that they only recently removed the files,” TigerSwan said. “It was only when we reached out to them with the information on August 31st did they acknowledge their actions.”

The company is exploring “all recourse and options available to us and those who submitted a resume” and encouraged anyone who had “voluntarily filled out a resume form on [its] website between 2008 and 2017” to call a hotline number, 919-274-9717, to determine whether the resume contained personally identifiable information (PII).

The latest incident underscores that companies must ensure that third parties meet stringent security standards as well. “Too often, organizations fail to recognize that the perimeters they're defending now extend exponentially to include customers, partners and other third parties with access to their network,” said CyberGRX CEO Fred Kneip. “The question companies need to ask is, ‘which of my third parties pose the most risk to my organization?' This requires a continuous understanding of the security posture of every company you do business with and the ability to work with them to mitigate vulnerabilities.”

Thomas Fischer, Global Security Advocate at Digital Guardian, said the third-party threat “combined with the rise of new computing platforms, such as IaaS, [mean] businesses face new threat vectors that simply would not have existed even a few years ago.”

Noting the “many benefits of a move to the cloud,“ Nir Polak, CEO at Exabeam, said that “one of the side effects is the loss of control and ability to properly monitor sensitive data. With little visibility into who is accessing what, businesses are essentially blind to data leakage.”  

Fischer said the TalentPen incident might have been “avoided if TigerSwan had an effective security policy review process in place and was integrating third parties into this methodology. Outsourcing to new technology partners does not mean that you no longer need stringent security initiatives. In fact, it actually means you need to put into place a stronger set of controls."

And Polak pressed for “a means to understand how data in cloud servers is being accessed and manipulated. With this capability, in the case of an incorrectly configured AWS server, security teams would immediately be made aware of someone accessing data that they shouldn't have access to. We have to accept that we'll lose some element of control over data when we move to the cloud. So, if we don't control that data, we have to put measures in place to monitor it.”

Campagna urged companies to take advantage of security controls that are readily available. “This is why Amazon recently introduced ‘Macie': to discover, classify and protect sensitive data in AWS S3. Organizations using IaaS must leverage at least some of the security technologies available to them, either from public cloud providers, IDaaS providers, or CASBs, which provide visibility and control over cloud services like AWS,” he said. “It could also be argued that these AWS server misconfigurations could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks."