|Home page Technology|
Thousands of files containing personal and sensitive information on US citizens who have classified, and up to Top Secret, security clearances have been exposed; presumably for most of the year due to a security lapse.
Axar.az reports citing Sputnik that, Chris Vickery, director of cyber risk research at the California-based security firm UpGuard, discovered the cache of around 9,400 job application files on an unsecure Amazon Web Services S3 storage server that required no password to access..
The documents reveal a high level of detail about the past duties and responsibilities of thousands of individuals who were formerly and may still currently be employed by the US Department of Defense and other agencies within the US intelligence community.
The exposed personal information includes social security numbers, driver's license and passport numbers, home addresses and many other contact details.
Having briefly reviewed the files, UpGuard found that hundreds of resumes included those with Top Secret US security clearance — a prerequisite for a job at the Central Intelligence Agency, the National Security Agency, or the US Secret Service, among other government agencies.
Some of the documents also revealed sensitive and personal details about Iraqi and Afghan nationals who cooperated with US forces in their home countries and are now seen to have been put at risk in the leak.
Resumes were submitted for positions with the private security firm TigerSwan, but in a statement on Saturday, the firm asserted that the files were left unsecured by a third-party recruitment company called TalentPen, that was purported to have been used to process new job applicants.
According to the TigerSwan statement, TalentPen set up the supposedly secure server to transfer resume files to a TigerSwan server following the termination of TalentPen's contract in February of this year.
"[We] learned that our former recruiting vendor TalentPen used a bucket site on Amazon Web Services for the transfer of resumes to our secure server but never deleted them after our login credentials expired," the TigerSwan statement said.
"Since we did not control or have access to this site, we were not aware that these documents were still on the web, much less, were publicly facing."
Some of the applicants in the database were apparently involved in very sensitive and highly-classified military operations. At least one applicant claimed that he was charged with the transportation of nuclear activation codes and weapons components.
UpGuard noted that they found it "troubling" that the files remained accessible for a month after their Cyber Risk Team notified TigerSwan about the exposure.
Due to the number of resumes involved, the true impact of the breach has yet to be fully realized.
2017.09.04 / 13:55