Leaky S3 bucket sloshes deets of thousands with US security clearance

Bunch of resumés citing secret government work exposed


Thousands of files containing the personal information of US citizens with classified security clearance have been exposed by an unsecured Amazon server.

The sensitive information of an estimated 9,400 job seekers, mostly military veterans, was stored on an Amazon Web Services S3 storage server that required no password to access. The details were held by third-party recruitment company TalentPen, who in turn were hired by TigerSwan, a North Carolina-based security firm. Many of the job seekers cited secret US government work.

Cyber resilience company Upguard discovered and reported the resumé file breach to TigerSwan, which after investigation confirmed the problem. In a statement, TigerSwan apologised and said it was in the process of notifying those whose files were exposed. TigerSwan blamed TalentPen for the whole snafu.

TigerSwan also provided Gizmodo with emails confirming the third-party recruitment firm in question had been "dissolved".

It is our understanding that Amazon Web Services informed TalentPen of this issue sometime in August, resulting in TalentPen removing the resumé files on August 24. TalentPen never notified us of their negligence with the resume files nor that they only recently removed the files. It was only when we reached out to them with the information on August 31 did they acknowledge their actions.

Rich Campagna, chief exec at Bitglass, said AWS leaks are a growing problem largely as a result of human error.

"In the last few months, we've seen a string of high-profile data incidents of this nature, including Deep Root Analytics, Verizon Wireless and Dow Jones," Campagna said. "These exposures are difficult to stop because they originate from human error, not malice."

Amazon recently introduced Macie, a sort of "data loss prevention bot", to discover, classify and protect sensitive data in AWS S3. "Organisations using IaaS must leverage at least some of the security technologies available to them, either from public cloud providers, IDaaS providers, or CASBs, which provide visibility and control over cloud services like AWS," Campagna concluded.

Thomas Fischer, global security advocate at Digital Guardian, said: "This incident could likely have been avoided if TigerSwan had an effective security policy review process in place and was integrating third parties into this methodology. Outsourcing to new technology partners does not mean that you no longer need stringent security initiatives. In fact, it actually means you need to put into place a stronger set of controls."

Javvad Malik, security advocate at AlienVault, added: "Massive breaches through unsecured AWS S3 buckets continue to be a troubling trend. While cloud providers take care of certain aspects of security, it is imperative that organisations ensure they are doing their part to ensure the security of data that is uploaded. As with other aspects of security, cloud environments need to be continually monitored and the security assessed. Otherwise organisations have no assurance as to whether the data is secure or not, and in this case, can be left exposed for long periods of time." ®

Similar topics

Narrower topics


Other stories you might like

  • Amazon can't channel the dead, but its deepfake voices take a close second
    Megacorp shows Alexa speaking like kid's deceased grandma

    In the latest episode of Black Mirror, a vast megacorp sells AI software that learns to mimic the voice of a deceased woman whose husband sits weeping over a smart speaker, listening to her dulcet tones.

    Only joking – it's Amazon, and this is real life. The experimental feature of the company's virtual assistant, Alexa, was announced at an Amazon conference in Las Vegas on Wednesday.

    Rohit Prasad, head scientist for Alexa AI, described the tech as a means to build trust between human and machine, enabling Alexa to "make the memories last" when "so many of us have lost someone we love" during the pandemic.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Oracle cloud growth up 19% but it's still a market minnow
    Acquisition of health data specialist Cerner adds $15.8b to Big Red's debt

    Oracle has impressed the markets with strong revenue growth for cloud infrastructure and applications-as-a-service.

    However, Oracle is still struggling to gain a larger share of the global cloud market, where it lags behind AWS, Microsoft Azure, and Google Cloud.

    Big Red's total revenue for Q4, which ended May 31, hit $11.8 billion, up 5 per cent on the same period a year ago. Total cloud revenue, including infrastructure and software-as-a-service, reached $2.9 billion, up 19 percent. Cloud ERP Fusion revenue increased 20 percent while NetSuite ERP cloud revenue grew 27 per cent.

    Continue reading

Biting the hand that feeds IT © 1998–2022