Bad news for U.S. job seekers who applied to government jobs: more than 9,400 job application files were found on an unsecured AWS S3 server, which required no password to access. Information exposed includes names, U.S. passport numbers, Social Security numbers, and addresses.
According to reports, applicants submitted their resumes to TigerSwan, a private security contractor, which had outsourced recruiting to TalentPen. TalentPen controlled the AWS server where resumes and personally identifiable information was stored. In February, when TigerSwan terminated their agreement with TalentPen, the contractor began the process of transferring the files to its servers, and notified TalentPen in accordance with data policy procedures, which should have triggered removal of the files from TalentPen’s servers.
However, according to TigerSwan, TalentPen did not remove the data as it should have, leaving it publicly available on its apparently misconfigured AWS S3 server. The data leak was discovered by researchers at UpGuard, a cyber resilience company, who notified TigerSwan in July—but data remained accessible until August 24, according to UpGuard.
“We take information security very seriously, especially in this instance, because a majority of the resume files were from veterans. As a Service-Disabled, Veteran-Owned Small Business, we find the potential exposure of their resumes inexcusable. To our colleagues and fellow veterans, we apologize. The situation is rectified and we have initiated steps to inform the individuals affected by this breach,” said Jim Reese, TigerSwan CEO in their press release.
Especially troubling about this data breach is the revelation of personal information tying individuals to high security clearance roles, which could place these people at risk not only of identity theft but also potentially physical harm from actors seeking to gain U.S. intelligence data.
TigerSwan has opened a hotline (919-274-9717) for applicants who submitted their resumes to TigerSwan from 2008 to 2017, to see if their data has been revealed. The company notes that none of their servers were ever breached and that the resumes have now been secured, though this is of little comfort to applicants whose data was exposed. As for potential remedies, TigerSwan says only that they are “currently exploring all recourse and options available to us and those who submitted a resume.”