Thousands of files containing personal information of military and intelligence personnel were allegedly left unsecured and available for public download on a misconfigured cloud server before being discovered earlier this year. The files were from job applications to TigerSwan, a North Carolina-based private security firm, and date back to 2009. On Saturday, TigerSwan blamed a third-party recruitment firm named TalentPen that it said worked for the company during the timeframe in focus. The files, largely resumes, mostly came from members of the military, but also included intelligence veterans, a police chief and a United Nations worker in the Middle East. The files included personal contact information, such as addresses, phone numbers and private email addresses. Chris Vickery, a researcher at security firm Upguard, said he discovered the unsecured set of resumes on a public-facing Amazon cloud server in July that was not protected by any form of login. Typically, this is the result of misconfigured security settings. “I hope we were the only people to find them,” he told The Hill. While the files were discovered in July, they were not taken down until the end of August due to confusion over the source of the resumes. In February, when TigerSwan canceled its contract with TalentPen, TigerSwan claims the recruiter used Amazon cloud services to transfer the resumes it had amassed to TigerSwan.
TigerSwan said that transfer was conducted using high-end encryption and TalentPen was supposed to immediately delete the files. But the files remained on the site and due to an apparent security setting misconfiguration, those files were not encrypted.
When Upguard contacted TigerSwan in July, TigerSwan said it believed Upguard was in error since TigerSwan does not store resumes on the Amazon cloud and since it believed TalentPen had both encrypted and deleted its copies.
At the end of August, Upguard contacted Amazon, which had TalentPen remove the files, but did not reveal to Upguard that TalentPen was the customer. TigerSwan claims TalentPen never notified them, either.
“TalentPen never notified us of their negligence with the resume files nor that they only recently removed the files,” TigerSwan said in a statement.
TigerSwan said it was unaware that TalentPen had made the error until The Hill contacted them for a story earlier this week and raised the possibility that a recruiter had left the files online. Until then, TigerSwan argued the files were not theirs.
“It was only when we reached out to [TalentPen] with the information on August 31st did they acknowledge their actions,” TigerSwan said in their statement.
TigerSwan provided screen shots of an email from its former account manager at TalentPen explaining that the company had dissolved earlier that year. However, that manager still had access to billing records for the Amazon cloud account and confirmed that the account showed “activity that seems consistent with the number of files and the size of the over-all[sic] number of files.”
TigerSwan is encouraging any applicants for positions who submitted resumes during its contract with TalentPen to contact the company to check if any personally identifiable information was left vulnerable.
Former TalentPen management did not respond to requests for comment.